Bad outsourcing decisions cause 63% of data breaches
According to the 2013 Trustwave Global Security Report on 450 global data breach investigations, 63% were linked to third-party IT system administration, support, development and maintenance that had security deficiencies easily exploited by hackers.
“We are not saying outsourcing is inherently bad, but organisations that do get breached have probably made some bad outsourcing decisions,” said John Yeo, Trustwave's European director.
Typically, organisations do not price in the security risks when making outsourcing decisions or built security in to their procurement processes, he told Computer Weekly.
Yeo saw two key problems that could increase exposure to such risks: firstly, many organisations assume, rather than specifically ask whether third parties have the same security diligence as they do.
Yeo said organisations that are being breached are typically not diligent enough in determining whether the third parties they are looking to work with will treat data security as seriously as they would themselves.
“The third-party evaluation process tends to be focused on costs and service level agreements (SLAs), without security being a real consideration,” said Yeo.
Secondly, is that it is very rare for those responsible for IT security within an organisation to be involved in the procurement process. Furthermore, in organisations where there is already some involvement of security in the procurement process, it is rare that there is any kind of validation of responses from the outsourcing firms.
“It is important to ensure that security checking is more than just a paper-based exercise, and that there is not too much trust extended with respect to how a third party is going to deal with data security,” said Yeo.
Another study by Trustwave published last month revealed that about half of FTSE 100 companies made some reference to cyber risks or the risks associated with data loss in the section about principal risks and uncertainties in their annual reports.
“In theory, some larger organisations do have some board-level acknowledgement of cyber risk, but the problem is that this is not necessarily trickling down to things like procurement,” said Yeo.
In other words, security as a function is still often seen as a roadblock, when it is effectively a business enabler, because if there is a breach, it will cause a bigger headache than adding an extra week to the procurement process.
“We are typically seeing a lack of operationalization of information security; it is paid a certain degree of lip service, but that is not really affecting the behaviour of other departments in the business, nor is there a solid appreciation of the risks certain decisions may have on information security,” said Yeo.
According to the report, the majority of merchants relied heavily on third parties because they did not have the knowledge required to set up and operate their own systems. In most cases, these merchants completely trusted those service providers to maintain security, but the service providers were either naïve about security requirements and attack methods or they were wilfully ignoring them due to cost or inconvenience, the report said.
"Many third-party suppliers leave the door open for attack, as they don’t necessarily keep client security interests top of mind,” the report said.
In the payment card space, all service providers should be asked to provide assurance of PCI DSS (payment card industry data security standard) compliance from a Qualified Security Assessor (QSA), the report said.
The report warns that outsourcing IT and business systems saves money only if there is no attack.
In conclusion, businesses need to understand the risk their suppliers may introduce, the report said, and work proactively to decrease that risk. In particular, small e-commerce merchants should look for third-party verification that these service providers are both trustworthy and knowledgeable about security measures.