Thursday, November 15th, 2012

A major IT company was recently involved in a data privacy breach involving personal, commercial and government data. The breach arose when it was revealed that members of the public were able to download and send highly sensitive information. It still remains to be determined whether this security hole was already exploited before it was reported by a member of the public. The consequences are potentially devastating if such highly personal information fell into the wrong hands.

The IT company involved was responsible for the integration of the system as well as its security. Although the system had security measures in place to protect the information from unauthorised access, the measures were easily bypassed by someone who was capable of studying how the system worked. As the system was developed for public access, no logins were required meaning that any unauthorised access could not be traced to individuals. However it is hoped that an audit trail may be able to reveal whether the sensitive data had already been accessed. So how can organisations prevent something like this from happening to them?

When outsourcing IT services, whether it be for software development, systems integration or ongoing managed services, Paul Moroney, Solentive Software’s Principal Solutions Consultant states, "Maintaining the confidentiality, integrity and availability of your data is paramount."

“Any missteps when engaging with an IT services provider can severely damage your organisation’s reputation in the market and lead to a loss of future business. As you are responsible for the data that you own and manage, you are ultimately responsible for any breaches occurring in the system. However, there are several precautions you can take to mitigate the chances of something going wrong,” advised Paul.

“First of all, ensure that you have an internal security policy in place. This policy should include details of how staff members handle sensitive data such as customer details – this is particularly important if your organisation is running a Bring-Your-Own-Device (BYOD) initiative,” stated Paul.

In such a case, an organisation needs a clear understanding of who is responsible for ensuring that an employee’s device is secure and a plan of action if the device was maliciously exploited.

“When choosing an IT vendor for your systems integration, ensure that the vendor also has a good security policy in place and check to see whether that policy aligns with your own. You can ask to see any independent security audits your vendor may have completed recently. If they provide any hosting services for other companies, ask for details on how often they have conducted security audits and testing,” continued Paul.

You can pose questions such as:

- Do they host external facing websites for other companies?
- If so, when was the last time they had conducted penetration testing and what was the result?
- What employee background checks do they perform on their employees during the hiring process?
- Do they run regular security training sessions for their employees while they are working with you and your data?
- Can they run regular training sessions for your organisation so your employees know how to securely handle the data?

“Assessing the risk profile of where the vendor is located is very important. You need to know what jurisdictions your data will be travelling to and where it will be stored,” warned Paul.

“Outsourcing offshore may pose a greater risk to your data than outsourcing to a company located within Australia as your data may be governed under a foreign jurisdiction,” explained Paul.

This is particularly an issue if the country you have offshored your data to has an uncertain political climate where laws can change drastically overnight, hindering you from accessing your own data.

“Finally, you should list your right to audit as a condition in the contract with your vendor so that you can maintain visibility on how your data is being handled and managed throughout the engagement,” concluded Paul.

Contact Profile

Solentive Software

Solentive specialises in custom software development and systems integration. You'll benefit from our real-world expertise in software built in .Net and Java that is task-matched for affordability and designed to grow with your business.
Kareem Tawansi
P: 1300 55 30 50


outsourcing, systems integration, data privacy breach, IT services, Paul Moroney, Principal Solutions Consultant, Solentive Software, BYOD, bring-your-own-device



More Formats

View QR Code