Increasing dependence on contractors that may not be investing adequately in data protection makes them soft targets for hackers keen on stealing the operational data those contractors get from the companies they serve, a consultant with corporate and government security specialist BAE Systems Detica has warned.
Having observed a "rising spike" in the number of commercial relationships companies maintain – driven by moves from monolithic to best-of-breed outsourcing of areas like IT services, hosting, desktops and more – BAE Systems Detica director of strategy and major client group David Owen says the free flow of a company's sensitive customer information to contractors could easily compromise internal privacy protections.
Time-worn methods for funding projects had compounded the problem, with many contractors bidding for work without fully considering the cost of related IT-security infrastructure. By the time the contract has been won, those contractors often can't or won't fund additional security measures that may be necessary to ensure the integrity of the information they're handling.
"Many times these organisations are quite federated in their approach and they're offered a sort of partnership model," he explains. "And since they are very project driven, if they don't fund something at the point of bidding for the work, they don't later have the luxury of overheads or new controls and countermeasures. Quite a few of those organisations we see have a lot of variability internally in how they do things – and they generally have some challenges around how they fund and are transforming their security."
In many cases, well-meaning CSOs are stymied by entrenched procurement practices that favour lower-cost solutions and are administered by procurement staff that don't appreciate the need for one IT security solution over another.
"We quite often see a piece of the vendor management function that is incentivised to get the cost out of things quite aggressively – and the challenge with recognising that it's worth paying more for security is that security is purely a contraceptive type countermeasure. [Acknowledging that] requires a fair bit of maturity in the vendor management function."
Such situations carry an even bigger risk: even if a security risk is caused by a contractor's inadequate security, it is the contracting company that inevitably faces the biggest reputational threat. That risk increases the onus on companies to track the movement of sensitive data, and to identify which of an often full roster of contractors is getting the most sensitive data. It is also important to develop governance frameworks that help companies monitor their contractors' security profiles – even when those contractors claim compliance with information-risk standards like ISO 27001.
"Suppliers will often say they've got a certified risk management system," Owen said, "but the impact side of the ledger is often based on their assessment of what the impact will be of a particular risk. There will typically be a significant difference between their tolerance and the risk assessment of the customer."
This has created opportunities for companies evaluating a potential supplier to engage a third party to run penetration and other testing to develop an independent evaluation of the supplier's security profile. By making such testing a prerequisite of contracts involving sensitive data, companies can reduce their risk before undetected security shortcomings present problems later on.
Timeliness remains a problem, too: when a contractor or customer has experienced a data breach, forensic investigation frequently suggests the breach had occurred over 300 days previously.
For large companies, that could reflect a massive amount of lost data, with its associated implications for risk, reputation, and regulatory integrity. "It's getting a lot harder for the average organisation to stand up an internal capability to actually detect compromises," Owen said. "The biggest single issue is being able to detect that. If nobody can detect the compromise is occurring, it can take years before you realise you've got a worse competitive position in the market because someone has used [stolen data] to undercut your position."
Such consequences would have far greater impact on a business than investing in the right tools in the first place. And yet, Owen adds, most organisations face an even bigger challenge because they can't find or afford enough qualified security contractors to manage the tools – thereby, ironically, pushing them to an increased dependence on outside services.
Similarly, many of those services are offered by small contractors that face their own challenges finding and keeping skilled security staff. "Unless you're a Big Four bank and you have 20 to 30 people working in security operations, there's a big scale issue," Owen says. "A lot of Australian organisations probably don't have the scale to be able to establish a really strong security capability internally."
Addressing this challenge requires a change of thinking at the customer as well as the supplier level, he adds. "Part of this is a level of acceptance that compromise is an inevitability for most organisations – that having an approach to your understanding of what matters, and then monitoring it for compromise, is part of the overall story. But it's also going to be about engaging organisations that have a high level of capability to do that for organisations; unless you're very large, the days of internalising that security solution are probably at an end."