I still remember the mantra so clearly: “Let’s unburden the organization by outsourcing the software development." It was the corporate strategy of the time back in the day when I did the 9 to 5 thing. Like so many large organizations, the multinational in question was convinced that building systems was a drain on the company and was something to rid ourselves of. I hadn’t given that much thought for some years until someone brought a data breach disclosure notice by our Aussie Department of Social Services (DSS) to my attention and this statement caught my eye:
“The compromise resulted from the actions of the Department’s third party provider”
And that got me thinking, because it was only few days earlier that I was speaking at a McAfee event in Sydney and was involved in a Twitter chat with the folks there. It was centered on cloud security and one of the guys involved made a very insightful comment regarding the trust we place in cloud providers:
“You can outsource the work but never the risk.”
This really resonated because I’ve seen so many cases recently where organizations have thrown the responsibility for building systems over the metaphorical fence and then suffered serious data breaches at the hands of third parties. It caused me to think back to those corporate days when there was the assumption that risk could be delegated in this fashion, yet the reality is often very different.
For example, just over a year ago we had what to this day remains Australia’s largest ever data breach – the Red Cross Blood Service. In the wash-up of that incident, we learned that whilst it may have been the Red Cross’ data, the subsequent investigation found that it was another organization altogether that inadvertently published it publicly:
“The investigation found that a file containing information relating to approximately 550,000 prospective blood donors was saved to a publicly accessible portion of a webserver managed by a third party provider”
Only a few weeks later, Michael Page was facing its own data breach of a very similar nature. As with DSS and the Red Cross, a very similar pattern emerged:
“A third party illegally gained online access to a development server used by our IT provider, Capgemini for testing PageGroup websites”
In each of these cases, the organizations involved trusted third parties. They delegated the responsibility of building and managing information systems and inevitably, organizations of their nature would have gone through formal assessment processes along the way. I used to get involved in these all the time: here’s a big list of checkboxes from the Compliance Officer, now get the vendor to go and self-assess their competency. Naturally, the responses usually painted a glowing picture of their infosec prowess.
Outsourcing makes a lot of sense in many situations; indeed, it’s essential for many organizations. But as these incidents show, regardless of how much responsibility you delegate, accountability lays firmly on the shoulders of the organization doing the delegating. That’s the name that will adorn the news headlines when it all goes wrong.