Is Third-Party Software Leaving You Vulnerable to Cyberattacks?

The SolarWinds hack highlights the importance of vetting your vendors.

by

and

Keri Pearlson

by

and

Keri Pearlson

May 13, 2021

Jorg Greuel/ Getty Images

Summary.

When companies buy software, they tend to assume it’s secure — but they shouldn’t. Vulnerabilities in the digital supply chain are the responsibility of both developers, vendors, and customers, but right now cybersecurity isn’t a priority for either party. There are two key miscalculations that are bound up in this: First, that cybersecurity does not directly contribute to revenue and second, that cybersecurity is a feature that can easily be added on later in the project as necessary. Leaders can address this by making security a selling (or buying) point, using security to motivate developers, teaching their developers about security risks, and helping vendors prioritize security.

When companies buy digital products, they expect them to be secure. In most cases, they don’t test for vulnerabilities down the digital supply chain — and don’t even have adequate processes or tools to do so. Hackers have taken note, and incidents of supply chain cyber-attacks, which exploit weaknesses within the digital supply chain to break into organizations’ internal networks, are on the rise. As a result, there have been many headline incidents that not only bring shame to the companies involved, but rachet up the visibility of these threats to top executives who want to know their offerings are secure.

New!

HBR Learning

Digital Intelligence Course

Accelerate your career with Harvard ManageMentor®. HBR Learning’s online leadership training helps you hone your skills with courses like Digital Intelligence . Earn badges to share on LinkedIn and your resume. Access more than 40 courses trusted by Fortune 500 companies.

Excel in a world that's being continually transformed by technology.

Start Course

Learn More & See All Courses

KH

Keman Huang is an Associate Professor at the Renmin University of China and a Research Affiliate at the MIT Sloan School of Management, where he works on cybersecurity management and strategy, innovation ecosystems, and big data analysis.
Stuart Madnick is the John Norris Maguire (1960) Professor of Information Technologies in the MIT Sloan School of Management, Professor of Engineering Systems in the MIT School of Engineering, and Director of Cybersecurity at MIT Sloan (CAMS): the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity. He has been active in the cybersecurity field since co-authoring the book Computer Security in 1979.
KP

Keri Pearlson is the executive director of the research consortium Cybersecurity at MIT Sloan (CAMS). Her research investigates organizational, strategic, management, and leadership issues in cybersecurity. Her current focus is on the board’s role in cybersecurity.

New!

HBR Learning

Digital Intelligence Course

Accelerate your career with Harvard ManageMentor®. HBR Learning’s online leadership training helps you hone your skills with courses like Digital Intelligence . Earn badges to share on LinkedIn and your resume. Access more than 40 courses trusted by Fortune 500 companies.

Excel in a world that's being continually transformed by technology.

Start Course

Learn More & See All Courses

Is Third-Party Software Leaving You Vulnerable to Cyberattacks?

Partner Center

Explore HBR

HBR Store

About HBR

Manage My Account

Follow HBR