Bad outsourcing decisions
According to the 2013 Trustwave Global Security Report on 450 global data breach investigations, 63% were linked to a third-party component of IT system administration.
These investigations revealed that a third party responsible for IT system support, development or maintenance had introduced security deficiencies easily exploited by hackers.
“We are not saying outsourcing is inherently bad, but organisations that do get breached have probably made some bad outsourcing decisions,” said John Yeo, Trustwave's European director.
Typically, organisations do not price in the security risks when making outsourcing decisions or built security in to their procurement processes, he told Computer Weekly.
“Organisations are too quick to fight up the cost savings of outsourcing, but don’t really have an appreciation of what security risks that may introduce,” he said.
Yeo said organisations that are being breached are typically not diligent enough in determining whether the third parties they are looking to work with will treat data security as seriously as they would themselves.
Another problem, he said, is that it is very rare for those responsible for IT security within an organisation to be involved in the procurement process.
“The third-party evaluation process tends to be focused on costs and service level agreements (SLAs), without security being a real consideration,” said Yeo.
Security needs to be more involved in procurement, particularly in defining what requests for proposals look like to ensure some security elements are included in the evaluation process, he said.
However, in organisations where there is already some involvement of security in the procurement process, it is rare that there is any kind of validation of responses from the outsourcing firms.
READ MORE ON OUTSOURCING:
- Exploring the security risks of network management outsourcing
- Outsourcing security issues: Managing outsourced software development
- Security Think Tank: Business cannot outsource accountability
- Lincolnshire Police signs £200m outsourcing deal
- Don't fear cloudsourcing; it's the lesser of IT outsourcing evils
Asking the right questions is an important start, he said, but that is worthless unless it is followed up with a process to gather real evidence to validate security claims made in response to those questions.
“It is important to ensure that security checking is more than just a paper-based exercise, and that there is not too much trust extended with respect to how a third party is going to deal with data security,” said Yeo.
In January, a study by Trustwave revealed that about half of FTSE 100 companies made some reference to cyber risks or the risks associated with data loss in the section about principal risks and uncertainties in their annual reports.
“In theory, some larger organisations do have some board-level acknowledgement of cyber risk, but the problem is that this is not necessarily trickling down to things like procurement,” said Yeo.
He believes that security as a function is still often seen as a roadblock, when it is effectively a business enabler, because if there is a breach, it will cause a bigger headache than adding an extra week to the procurement process.
“We are typically seeing a lack of operationalisation of information security; it is paid a certain degree of lip service, but that is not really affecting the behaviour of other departments in the business, nor is there a solid appreciation of the risks certain decisions may have on information security,” said Yeo.
According to the report, the majority of merchants Trustwave worked with this year relied heavily on third parties because they did not have the knowledge required to set up and operate their own systems.
In most cases, these merchants completely trusted those service providers to maintain security, but the service providers were either naïve about security requirements and attack methods or they were wilfully ignoring them due to cost or inconvenience, the report said.
The report recommends that small e-commerce merchants should look for third-party verification that these service providers are both trustworthy and knowledgeable about security measures.
In the payment card space, all service providers should be asked to provide assurance of PCI DSS (payment card industry data security standard) compliance from a Qualified Security Assessor (QSA), the report said.
The report warns that outsourcing IT and business systems saves money only if there is no attack.
"Many third-party suppliers leave the door open for attack, as they don’t necessarily keep client security interests top of mind,” the report said.
Businesses need to understand the risk their suppliers may introduce, the report said, and work proactively to decrease that risk.