Bad outsourcing decisions cause 63% of data breaches

Bad outsourcing decisions nearly two-thirds of data breaches investigated by security firm Trustwave in the past year

Bad outsourcing decisions cause nearly two-thirds of data breaches investigated by security firm Trustwave in the past year.

According to the 2013 Trustwave Global Security Report on 450 global data breach investigations, 63% were linked to a third-party component of IT system administration.

These investigations revealed that a third party responsible for IT system support, development or maintenance had introduced security deficiencies easily exploited by hackers.

“We are not saying outsourcing is inherently bad, but organisations that do get breached have probably made some bad outsourcing decisions,” said John Yeo, Trustwave's European director.

Typically, organisations do not price in the security risks when making outsourcing decisions or built security in to their procurement processes, he told Computer Weekly.

“Organisations are too quick to fight up the cost savings of outsourcing, but don’t really have an appreciation of what security risks that may introduce,” he said.

Yeo said organisations that are being breached are typically not diligent enough in determining whether the third parties they are looking to work with will treat data security as seriously as they would themselves.

Another problem, he said, is that it is very rare for those responsible for IT security within an organisation to be involved in the procurement process.

“The third-party evaluation process tends to be focused on costs and service level agreements (SLAs), without security being a real consideration,” said Yeo.

Security needs to be more involved in procurement, particularly in defining what requests for proposals look like to ensure some security elements are included in the evaluation process, he said.

However, in organisations where there is already some involvement of security in the procurement process, it is rare that there is any kind of validation of responses from the outsourcing firms.

Asking the right questions is an important start, he said, but that is worthless unless it is followed up with a process to gather real evidence to validate security claims made in response to those questions.

“It is important to ensure that security checking is more than just a paper-based exercise, and that there is not too much trust extended with respect to how a third party is going to deal with data security,” said Yeo.

In January, a study by Trustwave revealed that about half of FTSE 100 companies made some reference to cyber risks or the risks associated with data loss in the section about principal risks and uncertainties in their annual reports.

“In theory, some larger organisations do have some board-level acknowledgement of cyber risk, but the problem is that this is not necessarily trickling down to things like procurement,” said Yeo.

He believes that security as a function is still often seen as a roadblock, when it is effectively a business enabler, because if there is a breach, it will cause a bigger headache than adding an extra week to the procurement process.

“We are typically seeing a lack of operationalisation of information security; it is paid a certain degree of lip service, but that is not really affecting the behaviour of other departments in the business, nor is there a solid appreciation of the risks certain decisions may have on information security,” said Yeo.

According to the report, the majority of merchants Trustwave worked with this year relied heavily on third parties because they did not have the knowledge required to set up and operate their own systems.

In most cases, these merchants completely trusted those service providers to maintain security, but the service providers were either naïve about security requirements and attack methods or they were wilfully ignoring them due to cost or inconvenience, the report said.

The report recommends that small e-commerce merchants should look for third-party verification that these service providers are both trustworthy and knowledgeable about security measures.

In the payment card space, all service providers should be asked to provide assurance of PCI DSS (payment card industry data security standard) compliance from a Qualified Security Assessor (QSA), the report said.

The report warns that outsourcing IT and business systems saves money only if there is no attack.

"Many third-party suppliers leave the door open for attack, as they don’t necessarily keep client security interests top of mind,” the report said.

Businesses need to understand the risk their suppliers may introduce, the report said, and work proactively to decrease that risk.

Read more on Hackers and cybercrime prevention

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Can I print this article on a huge posterboard and put it in front of our CIO and BOD?


Companies ruined or almost ruined by imported Indian labor

Adaptec - Indian CEO Subramanian Sundaresh fired.
AIG (signed outsourcing deal in 2007 in Europe with Accenture Indian frauds, collapsed in 2009)
AirBus (Qantas plane plunged 650 feet injuring passengers when its computer system written by India disengaged the auto-pilot).
Apple - R&D CLOSED in India in 2006.
Australia's National Australia Bank (Outsourced jobs to India in 2007, nationwide ATM and account failure in late 2010).
Bell Labs (Arun Netravalli took over, closed, turned into a shopping mall)
Boeing Dreamliner ES software (written by HCL, banned by FAA)
Bristol-Myers-Squibb (Trade Secrets and documents stolen in U.S. by Indian national guest worker)
- Startup run by Indian CEO, French director of dev, Chinese tech lead.
Closed after 5 years of sucking VC out of America.
Caterpillar misses earnings a mere 4 months after outsourcing to India, Inc.
Circuit City - Outsourced all IT to Indian-run IBM and went bankrupt shortly thereafter.
crew system run by 100% Indian IT workers caused the 12/25/05 U.S.
airport shutdown when they used a short int instead of a long int
Computer Associates - Former CEO Sanjay Kumar, an Indian national, sentenced to 12 years in federal prison for accounting fraud.
- 2010 - this Indian-packed consulting company is being sued under RICO
fraud charges by Marin Country, California for a failed solution.
Dell - call center (closed in India)
Delta call centers (closed in India)
Fannie Mae - Hired large numbers of Indians, had to be bailed out. Indian logic bomb creator found guilty and sent to prison.
GM - Was booming in 2006, signed $300 million outsourcing deal with Wipro that same year, went bankrupt 3 years later
- Got out of the PC hardware business in 2011 and can't compete with
Apple's tablets. HP was taken over by Indians and Chinese in 2001. So
much for 'Asian' talent!
HSBC ATMs (software taken over by Indians, failed in 2006)
Intel Whitefield processor project (cancelled, Indian staff canned)
Airways computer failure brings down Christchurch airport on 9/17/11.
JetStar is owned by Quantas - which is know to have outsourced to India,
Lehman (Spectramind software bought by Wipro, ruined, trashed by Indian programmers)
Medicare - Defrauded by Indian national doctor Arun Sharma & wife in the U.S.
Microsoft - Employs over 35,000 H-1Bs. Stock used to be $100. Today it's lucky to be over $25. Not to mention that Vista thing.
MIT Media Lab Asia (canceled)
- A startup founded and run by Indian national Apar Kothari went belly
up after throwing millions of America's VC $ down the drain.
PeopleSoft (Taken over by Indians in 2000, collapsed).
PepsiCo - Slides from #1 to #3 during Indian CEO Indra Nooyi' watch.
Polycom - Former senior executive Sunil Bhalla charged with insider trading.
Qantas - See AirBus above
Quark (Alukah Kamar CEO, fired, lost 60% of its customers to Adobe because Indian-written QuarkExpress 6 was a failure)
Royce (Sent aircraft engine work to India in 2006, engines delayed for
Boeing 787, and failed on at least 2 Quantas planes in 2010, cost Rolls
SAP - Same as Deloitte above in 2010.
Singapore airlines (IT functions taken over in 2009 by TCS, website trashed in August, 2011)
Skype (Madhu Yarlagadda fired)
State of Indiana $867 million FAILED IBM project, IBM being sued
State of Texas failed IBM project.
Sun Micro (Taken over by Indian and Chinese workers in 2001, collapsed, had to be sold off to Oracle).
UK's NHS outsourced numerous jobs including health records to India in mid-2000 resulting in $26 billion over budget.
Union Bank of California - Cancelled Finacle project run by India's InfoSys in 2011.
United - call center (closed in India)
Victorian Order of Nurses, Canada (Payroll system screwed up by SAP/IBM in mid-2011)
Virgin Atlantic (software written in India caused cloud IT failure)
World Bank (Indian fraudsters BANNED for 3 years because they stole data).


You've missed 2 important ones which occurred last year.

Royal Bank of Scotland overnight batch process is outsourced to India. Accounts at RBS, Nat West and Allied Irish Bank fail to process overnight credits for up to a week.

G4S Olympic bid: They outsourced the scheduling software to a subsidiary in India - when their complete failure to deliver becomes apparent the government replaces them at the 11th hour and uses the army for security.


Ah yes, I remember those 2. Thanks for reminding me. I'll add them to the list. Which keeps growing, and growing, and growing.......


I agreewhat John Yeo had said. Outsourcing is not bad at all. You just have to find the right people for your job to avoid problems, like getting data breaches. It just a matter of knowing the company that would provide the outsource service for the company.

-Alex Jones