Outsourcing does not mean offloading IT risk

By on
Outsourcing does not mean offloading IT risk

[Blog post] You are responsible for your security.

Newsflash: the data of hundreds of thousands of Australians has been exposed online due to a lack of basic cyber security hygiene.

Does this sound familiar? It should, because it's what happened last week when Capgemini placed database backups from Michael Page’s website on a publicly accessible server, and it's also how the Red Cross Blood Service fell into its own data leak just a few weeks ago.

The common thread that ties these two together - apart from the extremely ill-advised decision to put sensitive data on a publicly exposed web server - is a misstep by a contractor that should have known better.

If you are charged with looking after the technology welfare of an organisation, then part of what you are paid for is the due diligence and assurance that you are looking after their data.

The issue with Michael Page’s website was that a backup copy of a customer database was exposed on a development server: a complete lack of adherence to basic good practice on behalf of Capgemini.

You would assume the same security policies that applied to the database in production would apply in development if the same classification of data is being handled, yet it appears this was not the case. This would indicate a systemic failure of Capgemini's information security management system and secure development practices.

Admittedly, mistakes can happen. But in this case, the facts lean towards sloppy data handling procedures and careless information security practices.

However, we can't lay all of the blame entirely on the service provider: a major flaw in outsourcing arrangements is that the company hiring the contractor sees this as a way to extricate themselves of delivery risk, putting the onus on the contractor for all aspects of service availability.

Often these arrangements also have contractual clauses relating to data protection and data integrity, but the primary issue is that this does not mean you no longer own the information risk.

In the same way you cannot insure against reputational damage or loss of life, there are some things that you simply should not take for granted. Just because your service provider has said in a contract that they follow secure development processes, this does not mean that all aspects of their development environment will be secure.

It’s no longer good enough to expect that this kind of breach won’t happen: we are all targets, and we all have data that can be used for criminal financial gain.

Hopefully these two large breaches will force Australian organisations that hire IT contractors to realise this arrangement is not an opportunity to offload the risks related to information security and privacy.

Got a news tip for our journalists? Share it with us anonymously here.
In Partnership With
Tony Campbell
Tony Campbell has been a technology and security professional for over two decades, during which time he has worked on dozens of large-scale enterprise security projects, published technical books and worked as a technical editor for Apress Inc.

He was was the co-founder of Digital Forensics Magazine prior to developing security training courses for infosec skills.

He now lives and works in Perth, where he maintains a security consulting role with Kinetic IT while continuing to develop training material and working on fiction in his limited spare time.

Read more from this blog: Unpatched

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?