The other day, I wrote about how a treasure trove of Michael Page data had found itself exposed on the web. Unfortunately for the recruitment site, all this was courtesy of database backups sitting on a publicly facing website exposed to the world and announcing itself by virtue of directory browsing being enabled. Even more unfortunately for Michael Page, it wasn’t even them who lost the data, it was their partner Capgemini.
As is often the case after these incidents, many people have many things to say. Of particular interest to me though was a quote that emerged in a media piece covering the incident:
“It is fundamental that businesses take responsibility for scrutinising their partners’ security prowess”
I’ve got a few fundamental issues with this statement and they become evident as you scratch the surface a little.
To begin with, organisations such as Michael Page go to consulting firms such as Capgemini because they want what they believed at the time to be the experts in their field (although I suspect Michael Page’s views may have changed a little in recent times…). Very often, the expertise to deliver services such as building and maintaining large scale IT projects simply don’t exist within the org so they go external with the expectation that partners – particularly multinational consulting firms such as Capgemini – possess the skills required to look after the whole thing.
Proponents of shifting blame back to the likes of Michael Page will argue “well, they should have made sure the partner was up to the task of managing their data properly”. How? By having them fill out self-assessment forms? I’ve been in exactly this position many, many times where whilst working for big enterprise I’ve had consulting firms fill out forms and you know what? They all say they’re awesome! You can go further and do independent audits but now you’re eroding into the cost savings of going external which is a much harder sell. It’s particularly hard when considering the previous point which is that you’re going to these guys in the first place because you trust them to do the job!
But let’s say you do the audit and it comes back fine. Great – now you’ve got a process that’s been passed at one single point in time within the strict scope of that audit. This is one of the major criticisms with the likes of PCI – yes, it’s necessary but it in no way guarantees you’re not going to have a serious incident. Capgemini have undoubtedly had many audits over many years (they have 180k people working for them), but ultimately it only takes one person to make one stupid mistake. Would an audit have identified they were hosting production database backups on a development web server? Possibly not and again, even if that wasn’t happening at the time it doesn’t mean it won’t happen in the future.
None of this is to say that the likes of Michael Page shouldn’t be doing their due diligence on consulting firms, because they absolutely should. They also should be the ones facing up to the public and apologising for losing their customers’ data because they’re the ones who were entrusted with it in the first place. However, it may have little bearing on the outcome of how their data is ultimately handled. Frankly, it provides more value as a means of covering their own behinds (“well of course we made sure the vendor was up to scratch, here’s the paperwork”), and then having leverage when things ultimately go wrong later on. I’m sure Michael Page will well and truly have Capgemini over the proverbial barrel next time it comes to contract negotiations…