For those of us who study enterprise IT security, last year's Target store hack turned out to be a fantastic case study that was loaded with lessons to learn.
So much information has been written and discussed that surrounds when the breach occurred, how it happened and who was affected. And this hacking scandal seems to have had one last lesson to teach -- who's to blame. As class-action lawsuits started rolling in, most placed blame solely on Target, while another sought to implicate their outsourced IT security partner as well.
There's no doubt that the Target Corporation will take the brunt of the blame and they are the organization that class action suits list first and foremost. But interestingly enough, one suit filed on March 24th listed both the Target Corporation and their alleged third-party IT security audit vendor -- Trustwave -- as defendants. The suit raises the curious question of just how responsible IT security auditors are when it comes to the thoroughness and accuracy of their work.
Nearly every enterprise organization that I've ever worked in will seek out well a respected third party to perform IT security audits, evaluations and penetration testing. Third-party audits are preferred over in-house audits because the external company and staff are thought to be impartial and are more likely to spot security flaws compared to employees that work within the environment every day. In the suit filed by Trustmark National Bank, the claim was made that since Trustwave was the IT security auditor for Target prior and after the time of the data breach, they should be considered just as liable for costs that banks ultimately incurred.
Some of you may think that when customers contract third-party IT security-auditing companies, the agreement includes some type of liability incurred by the auditor. But in fact, there are almost never any statements regarding any type of accountability. As a recent SecurityCurrent blog points out, passing liability to the third-party vendor would significantly increase the cost of the audits due to the fact that the auditor would likely require costly liability insurance coverage.
While I'd love to force IT security audit companies to be more responsible for their audits, the reality is it won’t make the audit any better. Most security audits occur once a year -- all the while, infrastructure software, hardware, and IT processes are constantly changing and in flux. Add to it the fact that new dozens of new and previously unknown vulnerabilities pop up daily, and you see that a security audit is nothing more than a brief snapshot in time. To require the auditing company to carry the burden of future data breaches is ridiculous.
It came as no surprise then when I read a few days later that Trustmark bank abruptly dropped their suit against Target and Trustwave. In the court of law, Trustwave would overwhelmingly win as there is no way a security audit is any kind of guarantee against data breaches. So the lesson to be learned here is this: No matter what, the party that is ultimately responsible for data breaches are the ones that actually own the data. And IT security audits, while a wonderful resource, are neither completely thorough nor foolproof.