Your Consultancy Might Be Your Weakest Link
Photo by David Clode on Unsplash
UK store Marks and Spencer got hacked to the tune of $380 million. That’s a large enough number to make boardrooms realize that cybersecurity isn’t just a line in the IT budget next to “laptop refresh”.
The mystery here isn’t that someone in marketing who might have given their password to someone running a ransomware hack. The fact Tata Consultancy Services (TCS) seem interwoven in both the IT services and the vulnerabilities that have left this retail behemoth vulnerable to ransomware.
A Digital Dumpster Fire?
TCS worked on M&S’s customer loyalty program (Sparks). M&S hasn’t said whether they paid a ransom. But if they did, here’s hoping it came with a loyalty discount.
Now it looks like this IT behemoth might have played an important part in a ransomware nightmare that has unfolded for this great British company.
We’ve normalized third-party integration so thoroughly that no one knows who’s responsible anymore. Backend passes the buck to the frontend. DevOps mandates two code reviewers but doesn’t show up to meetings. And everyone pretends like “partnering” with a consultancy means “out of sight, out of mind”. Where is the responsibility, and what happens when something goes wrong?
I’ve seen developers use dependencies from GitHub because they didn’t want to spend a couple days working and so took the “easy option”, and then we were left patching security vulnerabilities for years afterwards.
Security Holes
Problems with security certainly aren’t new.
I remember working at a high security gig where we kept the machines in physical lockers with those old-school analogue locker locks. Long story short, they kept the code on a sheet of paper on top of the lockers so nobody forgot. A project that was important for national security.
Of course, I’ve worked places where IT support used teams to take control of your machine remotely, without the most basic security oversight to protect our data.
Oh, and when I leave job I often take the company’s data with me, because although they lock email and USB access on a machine, it isn’t difficult to figure out how to get everything from the work machine. No, I’m not going to tell you how.
TCS Spring into Action
While M&S customers have been unable to place orders on the retailer’s website, TCS has launched an investigation.
We don’t know when it started, but they’ve kept tight-lipped about the results so far.
So, I guess we’ll see?
Conclusion
You want a secure product? Use your own tech. Build your own tools. Know your stack inside out. Otherwise, the next time something goes wrong, you’ll be reading about your own company in the news, right under a picture of your storefront looking like it’s been robbed. Because it has been, because you left the front door open.