There’s plenty of talk about security threats from internal employees—but what about the threats associated with outsourcing?
The stats may (or may not) surprise you. Forty-six percent of organizations do not evaluate the security and privacy practices of vendors before sharing sensitive or confidential information, according to a recent study conducted by the Ponemon Institute. The survey polled nearly 750 individuals in organizations that transfer consumer data to third-party vendors.
“Many companies have higher standards for their in-house data security practices than they have for vendors that they enlist to hold customer information,” says Michael Bruemmer, vice president at Experian Data Breach Resolution. “The standards should be consistent, because not adhering to the same policies leaves companies vulnerable.”
Understanding the Landscape
When sharing sensitive and confidential consumer information, 49 percent of those surveyed admitted they do not monitor—or are unsure whether their organization monitors—vendor security and privacy practices. Survey results also indicate that organizations that transfer or share consumer data with vendors experience data breaches more often than not.
What’s more, 65 percent of respondents said their organization had a data breach involving the loss or theft of their organization’s information—and 64 percent report that it has happened more than once. Forty-five percent of respondents reported negligence as the root cause of third-party data breaches. And 56 percent said their organization learned about a data breach accidentally.
Despite these risks, a new study from Hfs Research and KPMG reveals that organizations are still turning to outsourcing to keep costs low. In fact, the survey reports that the majority of enterprises are aggressively focused on increasing their outsourcing portfolios in 2013. With that in mind, the security industry is working hard to educate stakeholders about best practices and how to avoid data breaches connected to outsourcing.
Vet Third Parties
Mike Flouton, vice president of Product Marketing at SilverSky, offers some advice. When dealing with third-party software development resources, he says, a few tried and true information security safeguards work as well in the cloud era as they did in years past.
“First, it’s critical that you thoroughly vet any third-party before granting access to sensitive information. Background checks, references and code samples should be required of individuals, while independent audit assessments like AICPA certifications are essential for companies,” Flouton says.
“Second, exercise the principle of least privilege. Third-parties should be given access to the minimum they need to get the job done—nothing more. And finally – trust, but verify. Code reviews not only ensure that the software is well written and does what it should, they make it next to impossible for malicious outsiders to sneak back-doors and nastiness into production systems.”
Storing Sensitive Data in the Cloud
“If the outsourcer is actually processing or storing sensitive data in a ‘cloud’ environment, how are they protecting it against both old-school and new-school threats?” asks Alan Brill, senior managing director for Kroll Advisory Solutions. “How effectively are you monitoring and providing independent quality control of the work of these ‘insider outsiders’?”
Brill also suggested one method that combines detection of threats with deterrence is to have key elements of new code independently tested for security by specialists. Another is to look at when work is done, and where it’s being done.
Brill points to a recent case in which a contractor who was supposed to be developing code at a company’s site actually subcontracted the work to an overseas group. They charged him 20 percent of what he was charging the company. He sent them his remote access token so they could send in their work.
“It took the company quite some time to notice that the actual code wasn’t coming from the contractor on-site, but was originating at an IP address about 7,500 miles from their offices,” Brill says. “Who knows what could have been buried in that code?”
A Different Paradigm
Eric Chaves, a sales engineer at CloudLock, says IT Companies are leveraging the cloud as a way to store and disseminate information easily. Cloud storage presents a different paradigm to Information Security monitoring than previous on-premise monitoring had.
“Sharing information and code bases with outsourcers is easy, but the risks are clear, and monitoring the exposure of this intellectual property is critical,” Chaves says. “The benefit of storage in the cloud is that this information is typically accessible by Information Security monitoring solutions.”
In fact, he adds, there’s a strong argument many organization agree on—enforcement of acceptable use policies is actually now easier with access to data stored in the cloud, thanks to these newer Information Security monitoring solutions. Previously, he continues, attempts at monitoring thousands or tens of thousands of devices was the norm via physical network monitoring devices and agents deployed on servers. Today, access to the central cloud data storage repository for Information Monitoring purposes can be provided easily through approved API access to cloud storage platforms, such as Google Apps.
“Information Security monitoring solutions have the ability to determine what data is being shared with who, and when this level of access was permitted. Data that is stored in the cloud should only be accessible to the individuals associated with the project and it’s important determine who else may be collaborating on the assets in question, when these individuals were added and the level of permission they were given,” Chaves says. “Beyond visibility, taking control of the permissions on the data of interest is important and having a solution that can transfer ownership or remove collaborators on the asset is key to securing that intellectual property.”