Security frugality makes contractors soft targets for data theft: BAE Systems Detica

Increasing dependence on contractors that may not be investing adequately in data protection makes them soft targets for hackers keen on stealing the operational data those contractors get from the companies they serve, a consultant with corporate and government security specialist BAE Systems Detica has warned.

Having observed a "rising spike" in the number of commercial relationships companies maintain – driven by moves from monolithic to best-of-breed outsourcing of areas like IT services, hosting, desktops and more – BAE Systems Detica director of strategy and major client group David Owen says the free flow of a company's sensitive customer information to contractors could easily compromise internal privacy protections.

Time-worn methods for funding projects had compounded the problem, with many contractors bidding for work without fully considering the cost of related IT-security infrastructure. By the time the contract has been won, those contractors often can't or won't fund additional security measures that may be necessary to ensure the integrity of the information they're handling.

"Many times these organisations are quite federated in their approach and they're offered a sort of partnership model," he explains. "And since they are very project driven, if they don't fund something at the point of bidding for the work, they don't later have the luxury of overheads or new controls and countermeasures. Quite a few of those organisations we see have a lot of variability internally in how they do things – and they generally have some challenges around how they fund and are transforming their security."

In many cases, well-meaning CSOs are stymied by entrenched procurement practices that favour lower-cost solutions and are administered by procurement staff that don't appreciate the need for one IT security solution over another.

"We quite often see a piece of the vendor management function that is incentivised to get the cost out of things quite aggressively – and the challenge with recognising that it's worth paying more for security is that security is purely a contraceptive type countermeasure. [Acknowledging that] requires a fair bit of maturity in the vendor management function."

Such situations carry an even bigger risk: even if a security risk is caused by a contractor's inadequate security, it is the contracting company that inevitably faces the biggest reputational threat. That risk increases the onus on companies to track the movement of sensitive data, and to identify which of an often full roster of contractors is getting the most sensitive data. It is also important to develop governance frameworks that help companies monitor their contractors' security profiles – even when those contractors claim compliance with information-risk standards like ISO 27001.

"Suppliers will often say they've got a certified risk management system," Owen said, "but the impact side of the ledger is often based on their assessment of what the impact will be of a particular risk. There will typically be a significant difference between their tolerance and the risk assessment of the customer."

This has created opportunities for companies evaluating a potential supplier to engage a third party to run penetration and other testing to develop an independent evaluation of the supplier's security profile. By making such testing a prerequisite of contracts involving sensitive data, companies can reduce their risk before undetected security shortcomings present problems later on.

Timeliness remains a problem, too: when a contractor or customer has experienced a data breach, forensic investigation frequently suggests the breach had occurred over 300 days previously.

For large companies, that could reflect a massive amount of lost data, with its associated implications for risk, reputation, and regulatory integrity. "It's getting a lot harder for the average organisation to stand up an internal capability to actually detect compromises," Owen said. "The biggest single issue is being able to detect that. If nobody can detect the compromise is occurring, it can take years before you realise you've got a worse competitive position in the market because someone has used [stolen data] to undercut your position."

Such consequences would have far greater impact on a business than investing in the right tools in the first place. And yet, Owen adds, most organisations face an even bigger challenge because they can't find or afford enough qualified security contractors to manage the tools – thereby, ironically, pushing them to an increased dependence on outside services.

Similarly, many of those services are offered by small contractors that face their own challenges finding and keeping skilled security staff. "Unless you're a Big Four bank and you have 20 to 30 people working in security operations, there's a big scale issue," Owen says. "A lot of Australian organisations probably don't have the scale to be able to establish a really strong security capability internally."

Addressing this challenge requires a change of thinking at the customer as well as the supplier level, he adds. "Part of this is a level of acceptance that compromise is an inevitability for most organisations – that having an approach to your understanding of what matters, and then monitoring it for compromise, is part of the overall story. But it's also going to be about engaging organisations that have a high level of capability to do that for organisations; unless you're very large, the days of internalising that security solution are probably at an end."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags BAE Systems Deticadata security

More about BAE Systems AustraliaCSOISO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place