Outsource Payroll Processer Sage Breached – Lessons to Learn

Sage Group, an international cloud based accounting,  payroll, HR and CRM services company acknowledged a breach this week.  The breach affects around 300 companies based in the U.K. but the value of the breach is not in who got breached, but rather the lessons to be learned from it.

The company provides accounting and payroll services in 23 countries, is listed on the FTSE 100 list and has over 13,000 employees, so it is not a small company.

Sage has only said that the unauthorized access occurred through the use of an internal login.  They did not say whether that meant a rogue employee or a hacker inside the walls of their fortress.

Given that they are a payroll and accounting service, the data that they hold includes names, addresses, insurance information, dates of birth, banking information and other financial information.

The British Information Commissioners Office said that “the law requires organisations to have appropriate measures in place to keep people’s data secure.  When there’s a suggestion that hasn’t happened, the ICO can investigate and enforce if necessary.”

So what are some of the lessons to learn from this?

1. Just because you outsource it does not mean that you are not responsible.  While Sage will take the brunt of the hit, those 280 or so companies who’s employee and financial information are at risk will both feel the heat and pay the bill.
2. If you choose to outsource services such as payroll, understand where the financial liability lies.  In the contract, in writing, it should say who is responsible and exactly what they are responsible for.  Is Sage going to make these 280 companies whole?  How exactly are they going to do that?
3. If the outsource provider is going to make you whole, do they have the financial ability to do that.  Some outsourcers have cyber liability insurance, but only a small amount.  Let’s say Sage has a $5 million policy (and I have no clue, they could have a $500 million policy, but I doubt it).  That $5 million might cover the cost for one customer.  And it might not, depending on the size of the customer.  But in this case, and many others, they have to make hundreds of customers whole.  If $5 million is the right number to make one company whole and there 280 companies involved, then $5 Mil x 280 =  $1.4 Billion is the magic number. The good news is that Sage generates over a billion dollars in revenue a year, so, in theory, they might be good for it – if, as it says in item 2, they are even liable for it.  Small companies – or companies that are not yet profitable – are not going to be able to write that check, so the best you will be able to do is drive them into bankruptcy and then you get to write that check.
4. It sounds like this COULD be an inside job.  Alternatively, it could just be a hacker who snuck behind the walls of the fortress, compromised an ID and is making it look like an insider – which brings us to the next item.  If it is an inside job then it becomes a people conversation – what is the right balance for watching people.
5. Audit, audit and then audit some more.  You have to know who did what when.  What they accessed. What they did with it.  This is likely 10 times more stuff than you audit today.
6. Make sure that the audit logs cannot be accessed or erased by a rogue employee or a hacker.  The first thing a smart hacker will try to do is erase the logs.  If the logs are shipped offsite, in real time, to a server that is not part of your domain and for which, neither your users’ nor your administrator’s credentials will work on, then you have made the hacker’s job of erasing the logs very difficult.
7. Make sure that you keep the audit logs for a long time.  Long means AT LEAST one year; preferably longer.  In one of the hacks that I wrote about yesterday (HEI Hotels), the hackers were inside for 15 months PLUS the time it takes to investigate.  If you want to find out how they got in and you only have six months of data, that is not going to help much.  If you only have six months of data and they were there for 15 months, you are not going to know what they took, so you, and the authorities, will have to assume the worst.
8. If the British ICO is any example, don’t count on the authorities to do anything meaningful in any time that is important.  Maybe a couple of years from now Sage will be fined, but that won’t help you much now.

This is just some food for thought, but thinking now will allow you to figure out what happened when the ka-ka hits the rotational air movement device.

By the way, this has nothing to do with the Cloud.  A traditional outsource provider using internal systems provides the same risks.

If you do not have a vendor risk management program, today would be a good day to start one.

Information for this post came from Dark Reading and ZDNet,

[TAG:TIP], [TAG:Breach]

by