Outsourcing: The soft underbelly of cyber risks

Controls imposed on suppliers that are not the same as those imposed internally is a soft underbelly that can expose a business to cyber risk

Following a dip in the recession years, outsourcing seems to be coming back with a vengeance. It is once again on its way to becoming common practice for any business seeking to streamline its operations and the management of macro-economic turbulence.

Beyond that, as businesses focus their operations on their core services, they make extended use of global supply chains to ease their entry into new markets and customer channels. As a result, outsourcing is becoming a key organisational strategy. 

Finally, outsourcing can be big bucks. Look at Piers Linney, the latest addition to the Dragon’s Den pantheon.

Outsourcing risks

Taking into consideration today’s cyber threats, however, the outsourcing of business processes and supply does not come without risks. Take for example the outsourcing of IT operations.  

Businesses could be putting themselves at greater risk if cyber security standards are not uniformly upheld by their contractors. Indeed the key risk that many businesses face when outsourcing is that they themselves are not aware of what controls and policies should be adhered to by the supplier.

Often businesses are happy to accept financial savings without truly understanding if the off-the-shelf solution proposed will be fit for purpose. 

More on outsourcing and security

The question to ask here is: Has cyber security been factored into the procurement team’s considerations, or are financial savings the sole aim of the process? And even if cyber security has been taken into account, is it purely from a technical perspective, or has the effect on the overall business value chain been considered?

Unfortunately, in my experience the answer is that in the majority of cases the controls imposed on suppliers will sadly be lacking compared with those imposed on internal capabilities. And that is the soft underbelly that can expose a business to often difficult to manage cyber risk.

Businesses can outsource to the extent that the traditional view of enterprise controls can become so eroded that a business is now porous by design. 

The effects of the outsourced risk may not even by identified at an early enough stage to allow a business to deal with an incident or breach because it is unusual for businesses to conduct due diligence over all suppliers, and therefore they will be unaware of the manner in which the outsourcer will identify and report breaches.  

What is more, the lack of adequate restrictions to prevent the outsourcer further sub-contracting delivery can leave a business unable to pinpoint responsibility.

So what is the answer to the risk posed by outsourcing? 

Reducing outsourcing risk

First, although there is no silver bullet, recognition of a long-term risk based approach is necessary.  

In the majority of cases, the controls imposed on suppliers will be lacking compared with those imposed on internal capabilities

Mark Brown, Ernst & Young

Procurement is only the first stage and should include an assessment of supply to ensure that where a significant risk is likely to occur, due diligence is taken over the cyber posture of the supplier and that adequate controls are placed over flow-down sub-contracting.

Second, businesses should ensure that they contractually embed the necessary information security, business continuity and privacy controls to ensure continued compliance with internal policy and regulatory burdens.

Third, businesses should undertake acceptance testing to ensure that the supplier has fulfilled its contractual obligations. This provides a baseline for service supply, enabling continuing verification of service compliance to be tested throughout the supply chain.

Finally, once supply has transitioned to business as usual, the two keys to minimise cyber risk in the supply chain in the long term are close supplier management and continuous “right to audit” activities. 

Do not be afraid to challenge outsourcers and ask them to prove that they are delivering what the contract demands. The key to avoiding cyber breaches may, more often than not, be in ensuring that you do not leave your business exposed to a soft underbelly of negligent supply.

Mark Brown is director of risk & information security at Ernst & Young

Read more on IT risk management