In the course of my business, I frequently ask IT service providers questions about their information security practices, either as part of a third-party review, or as due diligence before a vendor selection. I have developed a reputation for asking blunt questions, and really dissecting the answers I get. I frequently find that these answers gloss over significant security exposures, some of which can have a material impact on the customer. 

A case in point this week was one of my customers who has a website and secure portal provided by a vendor that offers hosting services to a particular industry. Based on concerns expressed by someone who had visited my customer’s website, I performed a vulnerability scan, and got back a rather long list of identified issues. At my request, the customer sent the list off to the provider, who reviewed the list and responded a few days later. 

To read this article in full or to leave a comment, please click here