Is outsourcing bad for your IT security?

More than half of data thefts investigated by an IT security firm last year were at firms that outsourced a major part of their IT.

In 2012 Trustwave investigated more than 450 cases where card holder or other sensitive data was stolen from firms. Of the affected firms, 63 per cent relied on an outsourcer for implementation, administration or maintenance of a key business system.

“We’re not saying that outsourcing is inherently bad. We’re saying that organisations that do end up getting breached have probably made some bad outsourcing decisions that led to them getting breached,” said John Yeo, director of Trustwave SpiderLabs for EMEA. A common route for attackers into business systems was via insecure remote access points set up by the supplier, Yeo said. Attackers scan IP addresses for open remote administration ports and then break in by exploiting default or weak credentials.