In short, the answer is yes, but they don’t have to be! You can have the best privacy programme in the world, but if your IT provider is not following your rules on it, you’re going to have a problem. All too often I see companies taking privacy incredibly seriously, yet their outsourced IT company (unintentionally) circumvents their efforts in a number of ways. In the relationship between data subjects, responsible parties/controllers, and operators/processors, you as the company holding data can be liable for a breach down the line via your IT provider. It’s incredibly important that your IT provider is familiar with privacy requirements, and it is up to you to assess this. Let’s dive into the common threats I see in the field.
First and foremost, think about your IT company’s access. IT generally has access to EVERYTHING. Be it internal employee data, external client data, or any data stored on company controlled equipment. In general, the technician that comes to your office will have unfettered access to your entire network. A good IT provider would still add segregation of duty as part of their offering; meaning that their technicians have different levels of access to your information. I know of a number of small IT providers where this is practiced, and it is an excellent control for you as the client. Ultimately, you need to ensure that the technicians at your offices respect the access given to them.
Recommendation: Ensure that your provider practices segregation of duty, and restricts access to systems by seniority. Where possible, segregate duties internally and potentially have different providers taking responsibility for different systems – for example having one provider for internal systems, and another for hosted client systems.
Often, when an IT provider has grown from a one-person show to a bigger company, paperwork does not follow suit. I see this over and over where the outsourced IT company was started by a former employee, where the IT manager leaves and starts his/her own company and remains contracted and subsequently hires additional staff. Ideally, everyone would understand their responsibility around privacy and confidentiality, but often the agreements that were signed initially (if any) are insufficient, and the folks on the ground have little to no understanding of any non-disclosures in place at the contractual level. I have seen breaches occur because a well-meaning technician copied information to a flash drive for further investigation in their own time.
Recommendation: IT companies must train their staff on privacy and non-disclosure, and must also have the same drafted into their employment agreements. From your side, you need to ensure that agreements are in place with the company, and that their technicians understand their own confidentiality requirements. You can have a non-disclosure agreement with the IT company, and simultaneously ask any on-site technicians to sign a confidentiality agreement in accordance with that.
Decommissioning Old PCs and Laptops
Companies frequently sell or donate old equipment without erasing the information that is on the computers securely. From a technical standpoint, it’s important that you understand that a system “reload”, is not actually erasing information securely. When you delete information on a hard drive, you’re actually deleting the reference to the information. This means that while you cannot see the file you just removed, it is actually still in the location it was in on the drive – effectively it becomes hidden. With the right tools, anyone can recreate that reference, allowing access to the files again. Think of it like using Tippex on written information. You’ve “erased” the writing, but you could still scratch off the Tippex to reveal what is underneath. The information is only truly inaccessible once you have written over it again.
Recommendation: Any company decommissioning equipment must use secure erasure methods like sdelete. There are a plethora of tools available for secure erasure, and in general they will operate in such a way that the tool overwrites all the “empty” space on a hard drive – destroying the underlying data as well as the reference to it.
Disabling Security for Convenience
In any sort of cyber security programme, there will be a balance between security and convenience. Secure methodologies add overhead to how you do things. IT companies, in particular technicians, may disable certain security in order to save time and hassle later. It’s important that any technician knows why a certain function has been enabled. Recently, one of my clients had their computer encryption disabled by an IT company because they were not versed in how to recover from a Bitlocker failure. They reasoned that encryption is unnecessary and may make their support efforts more complex later. While this is true, encryption adds a level of complexity, it should not be disabled – the technicians should instead be up-skilled on how to maintain it. Disabling the encryption effectively opened the door to huge liability should there be a theft of the laptop.
Recommendation: Your outsourced IT must be familiar with your security policies and what should be enabled. Having a checklist as to what needs to be enabled on any computer is a great way of ensuring that your security remains in place in an outsourced arrangement.
How do you address this overall?
Aside from having the correct documentation in place, addressing high risk areas like IT outsourcing requires diligence. Basically, you need to audit your provider to ensure that they have the correct agreements in place with their staff, and that they match their security and privacy controls to yours. An effective way of doing this is by implementing a supplier attestation that is completed on a yearly basis. This attestation contains a number of questions that the provider would complete, detailing their security, contractual, and policy position relating to privacy. You would then be able to make informed decisions around your risk in dealing with them, as you can identify what controls are non-negotiable for your privacy risk appetite.
Should you wish to put together a supplier attestation specific to your unique needs, reach out using the calendar below and book an obligation free enquiry call.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.