From Adobe to Home Depot, AT&T and JP Morgan Chase, even the biggest companies have been laid low by security breaches over the last 18 months. These breaches are on the rise worldwide (up 48% from 2013) and the resulting costs are also spiralling, according to PricewaterhouseCoopers and CSO’s 12th annual Global State of Information Security Survey 2015. Nearshore Americas examines one piece of data about the relationship between security breaches and outsourcing and provides an analysis of the meaning behind this statistic.
Behind the Data
Trustwave’s 2013 Global Security Report found that of 450 security breaches analysed, over 63% were linked to third-party IT providers. The study looked at the investigations of more than 450 security breaches and identified key aspects of attacks such as the nature of the attackers, entry points, targets and vulnerabilities among other things.
As a managed security solutions provider, Trustwave conducts its own investigations in to incidents reported by clients or another party such as law enforcement. For this study, Trustwave examined its own incident investigations and did not use survey results. It also collaborated with law enforcement agencies in the United States, Australia, Mexico and the United Kingdom.
What It Means
Although this is a 2013 statistic, the study is often cited in coverage of IT outsourcing and industry insiders are still quoting it on social media. More recent studies have confirmed third-party providers as a growing security risk. The Ponemon Institute’s Securing Outsourced Consumer Data study had similar findings, with 65% of companies who outsourced work to a vendor reporting a data breach involving consumer data and 64% indicating that breaches had occurred more than once.
The difference between the two studies is that in the case of the Ponemon study the data was collected through surveying 748 individuals involved in vendor management at selected organizations with outsourced IT functions, rather than analyzing data directly from the incident investigations as in the case of the Trustwave report. In addition, the study is not clear on whether source of the breaches indicated as in fact the outsourcer. Despite differences in methodology, such studies highlight the need to ensure that security planning encompasses both internal and outsourced functions for maximum protection and increased prevention.
When a company outsources key IT functions, there is increased risk as control for those functions is shifted to a third-party. Vendors also need to take responsibility for the security of client data and work with the client to develop a plan that satisfies both parties. While this data does not mean that all breaches are related to outsourced functions – and in fact, data breaches are a complex issue, often involving a number of factors – or that insourcing will reduce the risk of security breaches, it does highlight the importance of making informed outsourcing decisions and prioritizing security in the IT function regardless of where it resides.