Best practices can help businesses mitigate growing vendor and third-party cybersecurity risk


Technological advances over the last decade have benefitted myriad market sectors, including construction project owners in both the public and private sectors. Threats to the safe, secure use of technology have evolved just as quickly.

Cyber-attackers are becoming increasingly sophisticated, moving from one industry to another as businesses and entire markets assess and shore up their vulnerabilities. Cyber-attackers also are constantly changing their tactics as new vulnerabilities arise. When one route of access is blocked, they look for others.

In recent years, cyber-attackers have begun targeting vendors and third parties that public and private owners rely upon to operate and serve their customers or stakeholders. Cyber-attackers have preyed upon vendors’ cyber weaknesses to gain access to the systems of hospitals, banks and financial services firms, major retailers, utilities, transportation systems and water treatment plants and other critical infrastructure.

While technology has played a central role in owners’ success, it also has opened new areas of risk, especially when owners use outside vendors or third parties to perform certain functions or manage certain systems. And, while some owners’ security controls may be well hardened, those of their vendors may be more easily breached, leaving owners scrambling to find ways to simultaneously embrace technological innovation while ensuring that doing so doesn’t expose them to new, unanticipated risks. It’s a balancing act that isn’t easy, but is achievable through careful planning, objective monitoring, and diligent management.

Businesses must navigate a complex web of commercial, technological, skills and resource challenges – among many others – to manage risk. In one particular sphere, both complexity and risk have risen to business-critical levels. The cyber threat landscape and risks arising to corporations’ most critical data, systems, and business processes are more ominous than ever. Recent attacks are unprecedented in sophistication and reach, as an increasing number of high-profile breaches are showing.

About the Author

Michael Corcione is a Partner at HKA Global, Inc., which provides multi-disciplinary risk mitigation and dispute resolution services to clients worldwide. Mr. Corcione has more than 30 years of experience in advising companies and boards of directors on technology, cybersecurity and privacy and risk management strategies. Over the past decade, he has led the delivery of Virtual Chief Information Security Officer (vCISO) services for advisory firms, which provide a CISO, along with cyber, privacy, and information security subject-matter experts, to organizations of all sizes and verticals. He is a member of the cybersecurity advisory board at Pace University, and a member of the Board of Trustees of the American Management Association International.

This publication presents the views, thoughts or opinions of the author and not necessarily those of HKA. Whilst we take every care to ensure the accuracy of this information at the time of publication, the content is not intended to deal with all aspects of the subject referred to, should not be relied upon and does not constitute advice of any kind. This publication is protected by copyright © 2024 HKA Global Ltd.


Follow HKA on WeChat


HKA WeChat