By Robert Hackett
June 24, 2017

A lesson to be drawn from my feature, published Friday, on Google’s Project Zero, the search giant’s elite computer bug hunting squad, is: You can do everything in your power to make sure your digital defenses are up to snuff, but that’s not going to help if a key partner is vulnerable. Attackers tend to aim for the weak link.

Google learned this the hard way when hackers associated with the Chinese government breached its systems in 2009 through a hole in Microsoft Internet Explorer 6. For Google executives, the intrusion provided groundwork that eventually helped justify the creation of an internal unit devoted to scouring the web for flaws in other companies’ code and demanding they be fixed. Since Project Zero’s founding in 2014, the team has shepherded along a slew of security improvements in non-Google products, albeit not without occasionally clashing with the company’s biggest rivals, such as Microsoft, Apple, and others. (You can read more about the bug-squashing SWAT team’s trials and travails here.)

This notion of the perils of tightly knit networks was on my mind Thursday while moderating a panel on third party risk for the New York information security meetup group. Eric Olson, vice president of intelligence operations at the cybersecurity firm LookingGlass, said he was amazed to see recognition of this bubbling up into public consciousness lately. He cited a recent story in Variety about how hackers had targeted a Hollywood post-production studio to get their hands on Netflix episodes for leaking. Netflix may take security seriously, but if its partners do not, then its efforts may as well be for naught.

Another panelist, Shaun Belders, head of Bloomberg’s vendor risk assessment program, mentioned that enacting preventative measures can get tricky even within an organization. He shared an anecdote about how he once was placed in the uncomfortable position of having to inform his boss, Michael Bloomberg, that he did not have access to certain company data due to strict corporate firewall policies. In the interest of cybersecurity, sometimes even the CEO gets locked out.

The lesson is simple: Businesses shouldn’t leave security to chance. In the presence of escalating digital threats against consumers and corporations—expertly detailed in “Hacked,” Fortune’s July cover story—perhaps more defenders should take a cue from Project Zero. Go on the offensive. Even if it means holding peers, partners, and bosses to the strictest standards.

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

SPONSORED FINANCIAL CONTENT

You May Like