Businesses are rapidly adopting an outsourced, third-party information technology operations model.
According to Trustwave's 2013 global security report, 63 per cent of investigations revealed a third party was responsible for system support, development or maintenance. However it claimed that these introduced security deficiencies that are easily exploited by hackers.
EMEA Trustwave Spiderlabs director John Yeo said that remote access was the most common way for a company to be hacked (47 per cent of findings), saying that this was 'no surprise' when connections were only secured with weak passwords.
Commenting, Mark Daitlich, partner Pinsent Masons, said that in the context of an outsourced arrangement there are two strands: what should organisations do; and what should they do to not to be negligent?
He said: “The other is how do you catch the perpetrator and if you catch them, what do you prosecute them for? All regulators say 'do your due dilligence on a third-party vendor', then you look at the contract when you put in provisions to limit the damage if an incident comes to pass.”
Bob Tarzey, analyst at Quocirca, said: “For organisations that have outsourced, 99 per cent had outsourced IT management. This has lots of benefits, but if you outsource you spend even more on IT security.”
Last year, Jonathan Armstrong, lawyer at Duane Morris LLP, said that the impact of monetary fines from the Information Commissioner's Office (ICO) should be passed on to those directly responsible for the breaches.
In response, the ICO said that the Data Protection Act states that it is the data controller that must ensure that any processing of personal data for which they are responsible complies with the act and that data controllers remain responsible for ensuring their processing complies with the act, whether they use the data in-house or employ a separate contractor as a data processor.