Who’s Really Accountable?
When companies outsource IT services to third-party providers, operational tasks may shift, but accountability for protecting customer data always remains with the original organization. A breach through a vendor still damages the company’s reputation, finances, and trust.
Responsibility vs. Accountability
- Responsibility: Day-to-day security tasks carried out by the third-party provider.
- Accountability: The organization remains ultimately answerable for data protection, regardless of outsourcing agreements.
Understanding Third-Party Risks
Outsourcing introduces vulnerabilities because a vendor’s weak security posture can compromise the entire supply chain.
Case in point:
In April 2025, Marks & Spencer (M&S) suffered a ransomware attack by “Scattered Spider” through compromised credentials from Tata Consultancy Services (TCS), its IT provider.
- Online shopping was taken offline.
- Losses exceeded £60 million ($80 million), with over £1 billion wiped from market value.
- The incident highlighted how attackers exploit third-party access.
Best Practices for Managing Vendor Cybersecurity Risks
- Due Diligence: Evaluate third-party security before engagement.
- Strong Contracts: Include strict cybersecurity clauses in agreements.
- Continuous Monitoring: Audit vendors regularly for compliance.
- Access Controls: Limit vendor access to sensitive data.
- Incident Response Plans: Prepare for third-party breaches.
- Training & Awareness: Educate both employees and vendors.
- Transparent Communication: Encourage prompt reporting of issues.
- Policy Reviews: Update policies to keep up with evolving threats.
The Importance of Transparency
In case of a breach, open communication with stakeholders is critical. M&S emphasized transparency, helping maintain customer trust even during disruptions.
Conclusion: Accountability Can’t Be Outsourced
The M&S attack underscores the importance of robust third-party risk management. While operational responsibilities can be outsourced, ultimate accountability remains with the organization. Clear oversight, strong vendor management, and transparent communication are key to safeguarding operations and customer trust.
