Outsourcing has been identified as a key attack vector in almost two-thirds of security investigations carried out by security services company Trustwave.
The claim was carried in the company's 2013 Global Security Report, which draws on the incident-response investigations that it has carried out on clients' behalf, as well as the results of thousands of penetration tests and millions of website and web application attacks.
"In 63 per cent of incident response investigations, a major component of IT support was outsourced to a third party... Many third-party vendors leave the door open for attack, as they don't necessarily keep client security interests top of mind," stated the report
In some cases, organisations that have outsourced a portion of their IT functions are unaware of the demarcation between themselves and their outsourced partner, leaving gaping holes that no one takes responsibility for. This also accounts for a large proportion of the attacks in the retail sector, added the report, because many small retail chains outsource some or all of their IT functions.
"Small businesses/franchises within the food & beverage and retail were most often impacted, as they typically outsource IT support and are often unaware of security best practices or compliance mandates by which their partners were required to abide. In some instances, victims were unaware that the third party was responsible only for a subset of security controls, leaving these systems open to attack," stated the report.
It also highlighted the most common modes of attack and the sectors typically targeted.
According to the report, retail was the most targeted sector, accounting for 45 per cent of all attacks, followed by food & beverage (24 per cent) and Hospitality (nine per cent).
The report attributed several factors to these attacks:
The sheer volume of payment cards used in these industries makes them obvious targets; The main focus of organisations operating in these spaces is customer service, not data security; There's a misconception that these organisations are not a target.
The challenge faced by many organisations has been compounded by the increasing ineffectiveness of many genres of security software in the face of more complex threats, claimed the report:
"In the past two years, attacks have grown significantly in complexity, rendering the majority of 'off-the-shelf' detection solutions, such as commercial anti-virus programs, ineffective. In addition, due to advanced subterfuge techniques, malware often goes unnoticed by systems administrators despite being clearly visible to investigators."
