Businesses are putting themselves at risk by failing to consider the impact of offshore outsourcing on the security of their IT systems and critical information, according to a former US government security adviser.
Ira Winkler, author of several books on corporate security and espionage, told Computer Weekly that too many organisations were exposing themselves to risk because they thought about security only after having decided to outsource.
"I have had security managers telling me they are offshoring half their staff overseas and asking whether there is anything they should be worrying about. They don't even know what they should be thinking about," he said.
Winkler advised businesses to view their offshore operations as "hostile environments" and to examine the risks before signing a contract with an offshore supplier.
"If you do not treat development facilities as if they are a completely hostile environment, people can and will tunnel in," he said. "I have had a case where a company was attacked from its own subsidiary in India."
David Lacey, security consultant and former head of IT security at Royal Mail, said many organisations made the mistake of leaving it to their lawyers to write security clauses into their contracts with offshore suppliers. "Chief information security officers should be involved right from the start," he said.
Foreign governments are also a potential risk, said Winkler, who estimates that 100 countries are engaged in espionage against the US.
"The way to combat the internal threat is to make sure people have more to lose if they are caught than if they stay clean. Giving people careers and a good salary is a way to make people stay loyal," said Lacey.
Comment on this article: firstname.lastname@example.org
David Lacey's security blog:
The latest ideas, best practices, and business issues associated with managing security