How to mitigate the security risks of outsourcing

Outsourcing can present security issues for the user. Ron Condon assesses the risks firms face, and looks at measures they can take to mitigate them

Outsourcing any part of your business is a risky step, as it means handing over control to another company. The outsourcing supplier may do a better job of the outsourced process than you could, and for a lower cost, but there is also a chance it will get things wrong. And if something goes wrong, it is your company's name that will feature in the headlines.

So, anyone looking at outsourcing needs to think carefully. It is essential to understand the risks, and to take all reasonable steps to keep them to a minimum.

It is also worth keeping the risks in perspective. Since the days of the computer bureaux in the 1970s, companies have given payroll processing to outside suppliers to handle, and for the most part those specialist companies carried out their task without a problem.

But IT is now much more than payroll and accounts. It is intrinsic to the running of the business. Everyone has a screen on their desk, and IT supports virtually all business activities and provides vital links to customers and suppliers. Handing all that over to an outsourcing supplier needs careful thought and planning.

The lure of outsourcing

The attraction of outsourcing, whether locally or overseas, is that it can help cut costs and make them easier to manage and predict. In some cases, outsourcing may also be seen as a last resort to solve an intractable problem - in other words, leaving someone else to sort out the mess.

Outsourcing can be effective, but the people who do it successfully all agree that thorough preparation is essential. Rushing into an outsourcing deal to solve a problem is likely to lead to more trouble.

Paul Simmonds, global information security director at chemical supplier ICI, says outsourcing should not be an excuse to walk away from a task. "The biggest mistake people make is not managing the outsourcing supplier properly," he says.

When Simmonds joined ICI, it had outsourced most of its IT to a range of suppliers around the world, with the majority going to IBM Global Services and Atos Origin.

Simmonds has continued the trend by outsourcing the majority of ICI's security processes. For example, he uses IT security supplier Qualys to check that ICI's desktop systems are being properly patched, thereby getting one outsourcing supplier to monitor what another is doing.

He also outsources e-mail management to MessageLabs, and is on the verge of going to another supplier for web filtering.

Outsourcing security might seem a bridge too far, but he says the move raised no eyebrows among senior management. "The corporate culture is to outsource key non-essential services. It is all a question of assessing the risk, and asking if an outsider can do it better than we can," he says.

He says outsourcing works best when you can ring-fence the task and have a clear interface with the outsourcing supplier.

"You have to know the boundaries. It fails if the company does not define its interface. If they do not understand the problem, then they will not be able to manage the process. If you have an understanding of the problem and plan the outsourcing properly, then your chances of success are greatly increased," says Simmonds.

The planning process should involve spending time to get to know the outsourcing supplier and making sure you are compatible, says Donal Casey, a principal consultant with IT consultancy the Morse Group.

"It is almost like a marriage," he says , adding that it is essential to get an understanding of how the supplier works, rather than accepting its marketing messages at face value.

Recognised working standards, such as ISO 27001 for information security, are a good indicator that the outsourcing supplier takes security seriously, but they are not a guarantee.

Marcus Alldrick, a principal advisor with consultancy KPMG, says some certifications are less reliable than others. "There are some fast-track certifications, so it is worth checking who did the accreditation," he says.

It is also crucial to check what part of the business the certification covers. If it covers HR and you are looking to outsource firewall monitoring, it is not much use, he says.

Conduct a risk assessment

So begin with a risk assessment, look at the potential business impact if the process in question goes wrong, and assess whether outsourcing would make you more vulnerable.

The higher the risk, the more checking you will need to do with the prospective supplier. In all circumstances you need to get to know them and how they work.

It is essential to carry out due diligence on site, says Alldrick. Work with the outsourcing supplier's people to gain an understanding of their processes, and check the company's controls are embedded in its processes, whether procedural or technical.

For example, check to see if staff try to bypass controls, such as by sharing passwords. Also, check how the company manages starters and leavers, and how quickly the process happens.

"When someone leaves, is their user ID reallocated, and what controls lie behind it? Can you gain accountability for any user ID for any given time, because that is what it is there for," says Alldrick.

Get to know your supplier

Depending on the level of risk, this process of getting to know the supplier may take weeks or months. "You are relying on the outsourcing provider to manage aspects of risk on your behalf. You need to recognise that, and so does the outsourcing supplier. You need to engage with them and take time to perform due diligence.

"You need to make sure they practise what they preach. Just because you outsource, it does not mean the problem has gone away. So you must build a proper relationship," he says.

Alldrick suggests assigning people in your company to work with their counterparts in the outsourcing supplier, so that a proper relationship can be built and maintained over time.

"Relationships are important, because if and when things go wrong, you need to work together. A close working relationship is essential when it comes to incident management," says Alldrick.

The dangers of poorly managed risk are particularly evident in the energy industry. Ian Campbell, chief information officer for British Energy and chairman of the Corporate IT Forum, lives with the risks all the time, and so any outsourcing has to be done with caution.

"We have to go through all the checks. We vet the outsiders in the same way as we vet ourselves, and that includes penetration testing," he says.

As with many industries, most of these measures are prescribed by industry regulators, which will view the outsourcing supplier as part of the wider virtual organisation and subject to the same standards.

"We ask suppliers to sign up to certain standards, levels of vetting for staff, guarantees about how they run their operations, and whether they have the right physical security, even down to password protection.

"If I get it wrong I go to jail, so it is a strong incentive to make sure I know for sure, rather than just assuming they have it right," Campbell says.

Offshoring risks

However, the need for a strong working relationship may close off one popular route for those looking to cut their costs to the bone - offshoring.

Moving to a low-wage economy such as India may make financial sense, but companies need to factor in the different working culture, and also realise other new risks.

"If you move to another country because costs are lower there, the value of your information will be lower because people earn less," says Bill Rann, global head of BT's governance practice.

In other words, it will cost less to bribe staff at an Indian call centre or business process outsourcing operation than it would in more prosperous countries.

"You open up a new set of opportunities for the criminal fraternity. You have devalued the information in the context of the local economic situation. A few hundred dollars will buy a lot of information in India, while it would cost more in the UK or US," says Rann.

Some companies try to mitigate the risk - and comply with the Data Protection Act - by adopting a thin-client approach, keeping files stored back in Europe. But as Alldrick says, if the terminals in India are connected to a local printer, there is still potential for data loss.

Beyond security

Although customer details being stolen from an Indian call centre may grab the headlines, there is another more basic risk inherent in outsourcing, and that is the loss of competitive edge.

Rann cites the example of investment broker Charles Schwab, which started out offering cheap services to traditional brokers, and eventually entered their market as a direct competitor. Many outsourcing suppliers, especially those in emerging economies, have ambitions to move up the value chain as they learn more about how developed companies operate.

For organisations that outsource parts of their business, there is a risk of losing their core skills as they become more reliant on the outsourcing supplier.

Rann says it can easily happen. "Companies need to know where their sources of competitive advantage lie, and should deepen their skills in those areas. Third-parties can then build up their own core competencies. If you get it wrong, then you can be caught by surprise by someone who builds a good relationship with your customers, delivers strong value, and moves into your space from a different direction," he says.

Campbell says, "It is worth bearing in mind that many companies use outsourcing as a way of learning in order to compete at a later stage. You could be arming another company or country to compete with you."

His advice is to identify and retain your own special core skills and keep control of technical roadmaps and design. In that way, you can keep control and retain influence over what you want to achieve.

Read more on IT outsourcing