A lesson to be drawn from my feature, published Friday, on Google’s Project Zero, the search giant’s elite computer bug hunting squad, is: You can do everything in your power to make sure your digital defenses are up to snuff, but that’s not going to help if a key partner is vulnerable. Attackers tend to aim for the weak link.
Google (GOOG) learned this the hard way when hackers associated with the Chinese government breached its systems in 2009 through a hole in Microsoft Internet Explorer 6. For Google executives, the intrusion provided groundwork that eventually helped justify the creation of an internal unit devoted to scouring the web for flaws in other companies’ code and demanding they be fixed. Since Project Zero’s founding in 2014, the team has shepherded along a slew of security improvements in non-Google products, albeit not without occasionally clashing with the company’s biggest rivals, such as Microsoft (MSFT), Apple (AAPL), and others. (You can read more about the bug-squashing SWAT team’s trials and travails here.)
For more on bug hunting, watch:
This notion of the perils of tightly knit networks was on my mind Thursday while moderating a panel on third party risk for the New York information security meetup group. Eric Olson, vice president of intelligence operations at the cybersecurity firm LookingGlass, said he was amazed to see recognition of this bubbling up into public consciousness lately. He cited a recent story in Variety about how hackers had targeted a Hollywood post-production studio to get their hands on Netflix episodes for leaking. Netflix (NFLX) may take security seriously, but if its partners do not, then its efforts may as well be for naught.
Get Data Sheet, Fortune’s technology newsletter, where this essay originated
Another panelist, Shaun Belders, head of Bloomberg’s vendor risk assessment program, mentioned that enacting preventative measures can get tricky even within an organization. He shared an anecdote about how he once was placed in the uncomfortable position of having to inform his boss, Michael Bloomberg, that he did not have access to certain company data due to strict corporate firewall policies. In the interest of cybersecurity, sometimes even the CEO gets locked out.
The lesson is simple: Businesses shouldn’t leave security to chance. In the presence of escalating digital threats against consumers and corporations—expertly detailed in “Hacked,” Fortune’s July cover story—perhaps more defenders should take a cue from Project Zero. Go on the offensive. Even if it means holding peers, partners, and bosses to the strictest standards.
