Businesses are putting themselves at risk by failing to
consider the impact of offshore outsourcing on the security of
their IT systems and critical information, according to a former US
government security adviser.
Ira Winkler, author of several books on
corporate security and espionage, told Computer Weekly that too
many organisations were exposing themselves to risk because they
thought about security only after having decided to
outsource.
"I have had security managers telling me they are offshoring
half their staff overseas and asking whether there is anything they
should be worrying about. They don't even know what they should be
thinking about," he said.
Winkler advised businesses to view their offshore operations as
"hostile environments" and to examine the risks before signing a
contract with an offshore supplier.
"If you do not treat development facilities as if they are a
completely hostile environment, people can and will tunnel in," he
said. "I have had a case where a company was attacked from its own
subsidiary in India."
David Lacey, security consultant and former head of IT security
at Royal Mail, said many organisations made the mistake of leaving
it to their lawyers to write security clauses into their contracts
with offshore suppliers. "Chief information security officers
should be involved right from the start," he said.
Foreign governments are also a potential risk, said Winkler, who
estimates that 100 countries are engaged in espionage against the
US.
"The way to combat the internal threat is to make sure people
have more to lose if they are caught than if they stay clean.
Giving people careers and a good salary is a way to make people
stay loyal," said Lacey.
Comment on this article:
computer.weekly@rbi.co.uk
David Lacey's security blog:
The latest ideas, best practices, and business issues associated
with managing security