It’s becoming more and more common. Another company has suffered a data breach. Two weeks ago from the time of writing it was Dischem. Not too long ago, it was TransUnion. And Nedbank. There have been questions raised on social media commonly asking “why is this becoming more common?”. I have thoughts on this.
There is a business technology trend which has resulted in this: cloud-based software services, and ever increasing automation of business processes. It has become easier and easier for any company to have the efficiencies of technology when running their business. Out of the box, you can use Yoco to track your sales and generate invoices. You can use Sage Online to manage your inventory. You can use Radar to manage your HR administration and payroll. You can use Office 365 to manage your emails. Your whole business can be run efficiently without having a server of your own to run your own software.
And larger enterprises are also getting in on the action. Though they can afford large software teams, with the increasing war on talent and the insatiable demand customers have for more efficiencies, many rather focus their technical talent on their differentiating core competencies. Email is not a core competency of a bank, so they can subscribe to an online solution. Tax is not a competency for a telecommunications company, so if much of the automation can be offloaded to a third party, then so be it.
Except, as you can imagine, this opens the door to breaches of data. The result of this offloading of processing is that an organisation’s data can be spread across several third party providers. If any one of those third parties is compromised, every business they rely on is also compromised.
Previously, when large enterprises used to host all of their own software within their own infrastructure, extensive security testing was completed by experts to ensure that the organisation’s data is as safe as possible. Because of the demand of their service and the rarity of the skills, these cybersecurity experts are very costly, only affordable by the large enterprises with deep pockets. Many years ago, I met someone who was doing this security testing at a large bank. His company charged him out at more than R100 000 per day. This leaves the smaller software providers that provide niche services unable to afford such expertise, and more vulnerable to nefarious actors.
Because of the trend of using third party services for non core functions, there will likely be more data breaches in future. This is not to say that these smaller companies are necessarily not secure. There are an increasing number of actors with ill-intentions in the larger ecosystem, with increasingly sophisticated ways of compromising software systems. At some point in future, I suspect a common objective security audit will be required of the third party providers that verify they have taken the necessary precautions in protecting client data. Such an audit may prove to be costly for the new entrants and smaller players, disqualifying them from large enterprise clients.
There is something that the smaller providers can do to prevent this from happening: leading the conversation on this common standard, and adopting their own recommendations as a positive signal to potential clients.