The issue of outsourcing and the risks that it poses has been raised following the Epsilon breach this week.
In a similar vein, I recently asked several companies about outsourcing and risk and if outsourced data was breached, who would be responsible for it?
There are two sides to this, firstly if you choose to outsource then it could be interpreted that it is your provider's responsibility as they were breached so they should take the blame, then again it is your customers who are affected and you chose to outsource the data, so surely the blame should rest with you.
Matt van der Wel, manager of investigative response at Verizon Business, said: “I think that if you store process or outsource, you are responsible. Many organisations do not want to demand it but you are responsible and cannot outsource responsibility.
“Security is a good thing and if you put domains on the cloud it is all about cost saving, but not security. If you are concerned about your health you outsource to a doctor and get them to make you better, you do not know them but tell them to do what they want to help you. People are not afraid to outsource but are with security and when storing confidential data.”
Lew Moorman, chief strategy officer at Rackspace Hosting, said: “It depends on what happened as not all security breaches are the same. If someone got paid to sell data then it is the host's fault. If they let someone in, it is the host's fault. If the hoster did not roll out a patch, it is the host's fault. But if you have sloppy code, then it is your fault. It depends on what happened.
“It is what you and I are responsible for, we have never had a major security incident in my ten years and if a customer has had a problem it tends not to be a security problem or a flaw, it is sloppy code and while we are not perfect, it depends on the situation.”
So another case here could be to make sure that you and the provider have matching compliance needs, in order to ensure that the level of protection that they offer matches your regulatory position. Andy Gibbs, director of security and compliance at Star, said that the ISO 27001 and PCI DSS frameworks are often major drivers of that.
“Outsourcing providers all have a common basis, that is to address considerations that are specific to requirements. What is common is that someone's data needs to be protected despite of which industry you are in,” he said.
“When anyone takes data to a third party they need to be aware of what they put forward. If you put it somewhere you need to know that it is safe, you need to look at the standards you are entrusting to and assure yourself that your assets are in good hands.
“You need to have reporting to show due diligence and it should be a part of your due diligence to verify the organisation that you are dealing with and entrusting data to so that it can show data protection. You can go to a provider and pick them out yourself, but the organisation will always tell you what you want to hear. Alternatively you can listen to an independent audit and get a much more impartial verification of the third party and not take a supplier's word for it.”
Dom Monkhouse, managing director of Peer 1 Hosting, said that within the small-to-medium enterprise there is a balance of risk and reward, so it sets a price for service, including the limitation of liability.
He said: “As a business you should take some loss of profile and reputation, it is not part of the service but we have got a service level agreement in place with different points of service and on our hardware guarantee we will do a backup and restore the agreement.
“In terms of data it gets encrypted when it gets backed up and even on the managed firewall service, we open HTTP and do two weekly vulnerability scans on the client's solution. If a customer says ‘can you open a port' and then they get hacked through it, then the liability lies with them and not with us because we are providing that security layer and not building the application. We will say that security of your systems and of your data is your responsibility.”
There are some grey areas in this argument, in that it is up to you to determine that the place that you outsource to is to the standard that you expect, but some may overlook that in order to work with a cheaper provider. So who does the blame lie with? That is for you to sort out when you decide to outsource in the first place.