EU

Is outsourcing bad for your IT security?

More than half of data thefts investigated by an IT security firm last year were at firms that outsourced a major part of their IT.

More than half of data thefts investigated by an IT security firm last year were at firms that outsourced a major part of their IT.

In 2012 Trustwave investigated more than 450 cases where card holder or other sensitive data was stolen from firms. Of the affected firms, 63 per cent relied on an outsourcer for implementation, administration or maintenance of a key business system.

"We're not saying that outsourcing is inherently bad. We're saying that organisations that do end up getting breached have probably made some bad outsourcing decisions that led to them getting breached," said John Yeo, director of Trustwave SpiderLabs for EMEA.

A common route for attackers into business systems was via insecure remote access points set up by the supplier, Yeo said. Attackers scan IP addresses for open remote administration ports and then break in by exploiting default or weak credentials.

"Quite often what we see is the outsourcer needs to remotely manage this environment," said Yeo.

"We've seen cases where they've used simple user names and passwords to protect the remote access system.

"In one case we saw the outsourcer using a common remote username and password. Not just on one customer but across their entire set of customers."

Generally these incidents involved small and medium-sized businesses, particularly online retailers or small merchants, contracting smaller suppliers to provide or support IT services, such as e-commerce platforms or web hosting.

"It's particularly the smaller merchants who trade online or small retailers with an electronic point of sale network who rely on a third party, where the third party doesn't address security as well as they need to," he said.

"Larger organisations tend to be more aware of security and can afford a security resource to be in-house."

The most common type of data stolen in these attacks is payment card data, said Yeo, which is stolen to sell via black markets online.

About

Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

10 comments
joyceeevanoso
joyceeevanoso

Every decision or strategy you employ for your business entails a risk. It is up to you to lower that risk by being smart in your business decisions.

NightLife6
NightLife6

One of the most frustrating problems is when a Trusted source goes to a little country on the east coast of the Med for their Software/System Eng's and later finds a souvenir or two embedded in the HW/SW end product. Naturally they are back at home long before we every fine out about it and all that's left is Damage control and a request (routinely ignored) to not do that again...

Tony Hopkinson
Tony Hopkinson

Only reason they outsourced in the first place was cost. Well there you go. Got what they paid for then didn't they? Oh dear, how sad, never mind.

Locrian_Lyric
Locrian_Lyric

Furthermore, is water wet, is fire hot, is ice cold, and is tech republic more obvios than obvious man?

robo_dev
robo_dev

Yes. In an ideal world you could validate that the third-party has security controls as good as yours, but typically you are handed an attestation document (SSAE-16) which might as well just say 'trust me'.

BFilmFan
BFilmFan

How much were the cost savings? How much were the legal fees and fines for the penetration? Once you have those numbers, you can determine if it was a wise decision or not.

Pete6677
Pete6677

Companies will get only as much security as they are willing to pay for. No surprise that the lowest bidder takes minimal precautions.

Tony Hopkinson
Tony Hopkinson

otherwise they wouldn't be able to make the minimum bid that gets them the contract. Which is why I don't get the surprise, this is Business 101. Leaves you with the uncomfortable feeling they don't even know their own stuff, never mind ours.

tbmay
tbmay

...irresolvable ignorance/deliberate lack of value of all things digital. Management in companies and individual consumers see most all of this the same. "I want things to magically happen for free or dirt cheap, including perfect security, which I am entitled too just because I'm using the solution." This, incidentally, doesn't exist even when you are willing to put a premium on it. Tell your kids to be veterinarians, doctors, teachers, physical therapists, etc, etc. Unless some sort of paradigm shift away from this totally clueless and disposable culture happens, they'll get to be happily blamed for managements poor decisions....including data compromises resulting from decisions you would have never made. I'm too old to, but if I could start over knowing what I know now, I would be doing something else completely.

Editor's Picks