The real risk of cyber attacks on critical computing infrastructure is nothing new, but the perceived threat level continues to grow, as evidenced recently by the dire warnings issued by US Defense Secretary Leon Panetta. There is no shortage of well publicized and documented occurrences of cyber attacks to reinforce that they are a serious and in some cases potentially fatal threat. This threat is just as real for organizations that have undertaken extensive outsourcing of their IT and business process infrastructure and systems as those that have not.
The debate over whether firms that have outsourced face more or less of a threat from IT security breaches overall or cyber attacks in particular goes both ways. On the one side it is argued that many firms do not have the skills, resources and expertise to optimize their IT security operations, systems and processes around critical systems apps. They are better served and safer when using third party service providers with more security expertise and deeper pockets to build and maintain sufficient IT defense perimeters.
The counter argument is that outsourcing introduces a level of opaqueness and uncertainty between the client and service provider. The client, for example, may not have adequate visibility into or control over the provider’s defensive practices. If a breach occurs, the client may not receive timely notification or have adequate recourse against the provider for damages. Or more simply, a provider may have worse security practices and skills than the client.
Guard Against Cyber Attacks
So what is an outsourcing buyer to do to assure, to the most reasonable degree possible, that its outsourcing provider(s) are adequately prepared to guard against cyber attacks?
The first thing to do is understand the buyer’s own level of skill and capability to defend against a cyber attack. It is difficult to assess the quality of a provider’s defenses and define best practices if the knowledge of what is a leading practice, or how to enforce it, is weak or non-existent. KPMG in the UK has defined ten “top tips” for defending against cyber attacks. These tips are below, reinterpreted in the context of outsourcing.
1) Prepare for War: Don’t become complacent that the outsourcing service provider is maintaining adequate cyber attack defenses. Monitor defenses and defensive practices closely, for example via network penetration and applicable vulnerability testing. Consider use of third-party testing beyond the provider’s, for example via the use of “ethical” hackers. Ringfence priority areas and data, but prepare for a worst-case scenario.
2) Prioritize: Take a holistic approach to assessing and monitoring a provider’s security capabilities and skills. Do not just focus, for example, on network security at the expense of application security or data privacy over data security. Defend “crown jewel assets” first but stay alert across all assets, applications and systems.
When assessing a provider’s security, capabilities and practices, the client should include all of its organization’s stakeholders and experts in the review process
3) Brace for Impact: Assume at some point that a serious cyber attack will target the firm and its provider. Predefine emergency and remedial response procedures for a variety of scenarios.
4) Strategy: Regularly and thoroughly review the provider’s current defense strategies, mechanisms and risk landscapes. Place focus on connection points between systems and applications the provider is running and those within the retained organization.
5) Learn from Mistakes: Review and learn from attacks that have occurred in the client organization and its peers and determine that the provider is doing the same. Push to define leading practices out of worst case examples.
6) Watch and Learn: Determine how the provider responds to threats and early stage attacks and ensure the client organization is comfortable with the approach. A rushed reaction to a penetration, for example, can give the perpetrator more information about the organization and its defenses. Watching and learning could prove more valuable than giving away vital information with an immediate response, but client’s philosophy should match the provider’s.
7) Don’t Go it Alone: When assessing a provider’s security, capabilities and practices, the client should include all of its organization’s stakeholders and experts in the review process. This should go well beyond the group doing the bulk of the sourcing process for outsourcing services. If the client organization has skills gaps in the way it would perform portions of the assessment and vetting, it should bring in third-party expertise. The retained organization and outsourcing governance group should also have skilled security experts and expertise embedded in them.
8) Caution: The client should review and assess how its provider educates its workers on the handling of confidential information both internally and externally from a process and systems standpoint. Determine, for example, if staff may handle sensitive data from multiple clients or co-mingle it on common systems.
9) Plug the Mobile Leak: Increased use of sophisticated personal and mobile devices raises the risk of data breach and cyber attack. The client should assess policies and practices of both its provider as well as its own staff that interact with systems and applications the provider is managing.
10) Accept the Consequences: Related to number three, have in place the response and clients who need contingency plans in advance and synchronize these plans with those of the provider. It is critical to define and clearly understand the consequences to the firm and its obligations in the event of an attack as compared to those of the provider. After a cyber attack is not the time to try to determine whose throat to choke.
There are additional things buyers should do to address the threat of cyber attacks in outsourcing scenarios. They include the following.
- Assessing and understanding the risk levels associated with public cloud vs. private cloud vs. internally hosted systems
- Retaining audit rights over and regularly reviewing provider security practices
- Determining that the organization knows where its data resides at all times and retaining veto rights over it being moved out of agreed upon markets
- Determining that the provider possesses all relevant and required market training and certifications
And finally, prepare for the worst and hope it ends up being not quite so bad as anticipated.
Stan Lepeak is the director of research for KPMG’s Shared Services and Outsourcing Advisory group. A 20-year veteran of the IT industry, Stan is a noted commentator and frequent speaker on business and IT professional services, business process and IT outsourcing, and underlying supporting IT applications and systems. He can be reached at [email protected]