A global testing programme that revealed 63% of security breaches are linked to services provided by third parties should serve as a warning to businesses that security must be prioritised when outsourcing.
But with cost-cutting opportunities still the main reason that businesses outsource IT functions, security is often overlooked, according to the 2013 Trustwave Global Security Report on 450 global data breach investigations. The report revealed that 63% of data breaches were linked to a third-party component of IT system administration.
The report, which resulted from the investigation of 450 data breaches last year, said the problem is partly because organisations do not price in the security risks when making outsourcing decisions or build security in to their procurement processes.
Trustwave said outsourcing is not inherently bad, but organisations that do get breached have probably made some bad outsourcing decisions because they are often too quick to increase the cost savings of outsourcing and don’t really have an appreciation of what security risks that may introduce.
The supplier on sophisticated security
Sean Finnan, former senior executive at EDS and IBM Global Services, expressed astonishment at the 63% figure. “I am very suspicious of that figure because it does not reflect my experiences with EDS, HP or IBM. Such companies have high levels of sophisticated security in place,” he said.
Finnan said perhaps the high figure reflects the fact that businesses are more likely to be able to identify and report attacks if they work with a partner with experience.
Whether or not the figures are realistic, the report should act as a reminder to businesses not to overlook security.
The lawyer on security provision in outsourcing contracts
John Worthy, technology partner at law firm Field Fisher Waterhouse, said businesses must ensure that security is built in to any IT outsourcing contract, with provision for changing contracts to reflect changes in technology and potential new risks.
“There should also be provision for the customer to monitor the security and it should be included in the regular updates,” he said.
Businesses must check contracts are flexible enough to ensure that the service provider has a strategy to deal with breaches if and when they happen.
When outsourcing, businesses need to ensure that there are robust plans in place to deal with security breaches, said Worthy.
The consultant on getting independent advice
Despite the contributions of the in-house team, the service provider and the lawyer, it is essential to have another independent expert look at security and the potential risks an outsourcing agreement might bring.
Security breaches can cause costly downtime for a business, while insufficient security can also mean a company is failing to meet regulations.
With this in mind, Steve Tuppen, director of outsourcing consultancy Mozaic, said it is essential for businesses that outsource to have a second set of eyes look at security separately. “You need a company independent of the main service provider to look at the security.”
In many contracts, the supplier providing the service will also be responsible for overseeing security, which he said is a mistake. “It is not a good idea to have the party delivering the solution also checking out the security provision,” said Tuppen.