You Cannot Outsource the Consequences of a Breach

Mozilla is known to most people for its open-source and free software, most notably Firefox. However, starting around August 4th, it also became known as yet another company whose merchandise store was breached. Following the announcement on the company’s blog and closure of Mozilla’s store, the following headlines filled trade pubs and the blogosphere: “Mozilla Store Breached” – PC Magazine, “Mozilla shuts Firefox e-store after security breach” – Computerworld, and “Mozilla Store Security Breached” – InformationWeek. A careful reading of these articles, however, revealed that the breach did not happen by any fault of Mozilla; rather, it was caused by a company called Gateway/CDI, a third-party e-commerce processor. Even though most news stories about the breach mentioned this critical fact, my conversations with non-techie friends proved that such details went largely unnoticed and that Mozilla was viewed as the guilty party. This only goes to prove that unless the reader has a reason to take an interest in the story, the headline will be the only thing read. Unfortunately, headlines such as “Mozilla shuts down online store after third-party security breach” (SearchSecurity.com) are rare and tend to appear only in technical and security-oriented news sources.

What all this adds up to is that when considering the outsourcing of storing, processing, or transmitting critical data to a third party, organizations must recognize that in the event that such a third party is breached, it will be their name in the headlines, not the vendor’s. The solution is for companies to carefully evaluate whether outsourcing is really the best option for them and for their clients. Personally, I think that companies are outsourcing too much, completely ignoring the risks associated with letting your data outside of the trusted network perimeter. However, if outsourcing still makes business sense, careful attention must be paid to ensuring that the vendor takes all appropriate precautions to make sure your data remains safe. Ideally, this should be done during the initial negotiation, as that will be the time when a client has the most influence and power over the vendor. Typical validation steps may include a combination of any of the following tactics:

Ask if the vendor has a SAS-70 on file. (Make sure it explicitly covers the service you are purchasing, and request an independent review of the report to make sure it was provided by a reputable audit firm.) Involve Internal Audit to request that the vendor fill out a questionnaire, indicating its information security practices. Make sure to ask for proof for some of the most critical controls. Hire a security consulting firm to perform an independent audit of the security controls the vendor has in place. Request your internal information security team to perform a thorough review of the vendor’s security controls. The most important thing to remember is that even though your organization may be outsourcing to a third party, the overall responsibility for the protection of the data in the eyes of your current and future customers will always remain with your company.