Outsourcing does not mean offloading IT risk

Newsflash: the data of hundreds of thousands of Australians has been exposed online due to a lack of basic cyber security hygiene.

Does this sound familiar? It should, because it's what happened last week when Capgemini placed database backups from Michael Page’s website on a publicly accessible server, and it's also how the Red Cross Blood Service fell into its own data leak just a few weeks ago.

The common thread that ties these two together - apart from the extremely ill-advised decision to put sensitive data on a publicly exposed web server - is a misstep by a contractor that should have known better.

If you are charged with looking after the technology welfare of an organisation, then part of what you are paid for is the due diligence and assurance that you are looking after their data.

The issue with Michael Page’s website was that a backup copy of a customer database was exposed on a development server: a complete lack of adherence to basic good practice on behalf of Capgemini.

You would assume the same security policies that applied to the database in production would apply in development if the same classification of data is being handled, yet it appears this was not the case. This would indicate a systemic failure of Capgemini's information security management system and secure development practices.

Admittedly, mistakes can happen. But in this case, the facts lean towards sloppy data handling procedures and careless information security practices.

However, we can't lay all of the blame entirely on the service provider: a major flaw in outsourcing arrangements is that the company hiring the contractor sees this as a way to extricate themselves of delivery risk, putting the onus on the contractor for all aspects of service availability.

Often these arrangements also have contractual clauses relating to data protection and data integrity, but the primary issue is that this does not mean you no longer own the information risk.

In the same way you cannot insure against reputational damage or loss of life, there are some things that you simply should not take for granted. Just because your service provider has said in a contract that they follow secure development processes, this does not mean that all aspects of their development environment will be secure.

It’s no longer good enough to expect that this kind of breach won’t happen: we are all targets, and we all have data that can be used for criminal financial gain.

Hopefully these two large breaches will force Australian organisations that hire IT contractors to realise this arrangement is not an opportunity to offload the risks related to information security and privacy.