More than half of data thefts investigated by an IT security firm last year were at firms that outsourced a major part of their IT.

In 2012 Trustwave investigated more than 450 cases where card holder or other sensitive data was stolen from firms. Of the affected firms, 63 per cent relied on an outsourcer for implementation, administration or maintenance of a key business system.

“We’re not saying that outsourcing is inherently bad. We’re saying that organisations that do end up getting breached have probably made some bad outsourcing decisions that led to them getting breached,” said John Yeo, director of Trustwave SpiderLabs for EMEA.

A common route for attackers into business systems was via insecure remote access points set up by the supplier, Yeo said. Attackers scan IP addresses for open remote administration ports and then break in by exploiting default or weak credentials.

“Quite often what we see is the outsourcer needs to remotely manage this environment,” said Yeo.

“We’ve seen cases where they’ve used simple user names and passwords to protect the remote access system.

“In one case we saw the outsourcer using a common remote username and password. Not just on one customer but across their entire set of customers.”

Generally these incidents involved small and medium-sized businesses, particularly online retailers or small merchants, contracting smaller suppliers to provide or support IT services, such as e-commerce platforms or web hosting.

“It’s particularly the smaller merchants who trade online or small retailers with an electronic point of sale network who rely on a third party, where the third party doesn’t address security as well as they need to,” he said.

“Larger organisations tend to be more aware of security and can afford a security resource to be in-house.”

The most common type of data stolen in these attacks is payment card data, said Yeo, which is stolen to sell via black markets online.