Is IT Safe Outside?

By | April 9, 2006

Driven by the convergence of computers, open standards and connectivity, today’s digital economy is seen by many as the fifth technological revolution of the industrial age. And one of its key features is the trend towards outsourcing. In today’s complex and challenging world, few firms can do everything themselves anymore. Most need to focus where they excel, and call on outside expertise to get other tasks done.

Of course, outsourcing is nothing new – people have been doing it for centuries. At home, for example, people commonly outsource cleaning, decorating and other tasks. It’s the same at work – few organisations have ever done everything using solely their own resources.

What’s different now is that an increasing amount of work can be digitised. That makes it as easy to outsource to a supplier on the other side of the planet as one in the same city. If they have the skills to do the work, there’s no problem in getting it there.

However, this raises an interesting question. As our world gets more interconnected, does it get more risky? Let’s suppose you outsource your payroll administration to a service provider. Does the risk you face go up or down? And does it matter where the provider is based or does the work?

A real risk?

So what is the truth about this ‘new’ risk?

It’s certainly easy to find scare stories – especially where offshoring to Asian firms is concerned. For example, in 2005 it was reported that a former call centre worker in India had offered to sell British bank account details to an undercover reporter. Details of mortgages and medical bills were also reported to have been offered for sale. Often, however, such stories do not bear scrutiny. The company at the centre of this allegation appears to have no connection with the British banks involved, for example.

Such stories obscure the truth of the situation.

Security leaks can occur anywhere – not just in Asia. In April 2005, for example, CitiFinance, the consumer lending arm of New York’s Citigroup, said confidential information on 3.9 million customers had been lost while UPS, its courier company, was transporting computer backup tapes.

And standards of security can be high no matter where a company is located. Employees who work for one Indian IT service vendor, for example, have their bags searched when they arrive for work and have to hand over their mobile phones at the door. When they arrive at their desks, all the papers they worked on the day before will have been shredded. They can’t copy or move files, and they have a phone that can’t call anyone except the help desk. The computer is locked to them and is unable to access the internet and or send email outside the organisation.

What’s more, such levels of security do not just apply in IT firms. As the Financial Services Authority (FSA), the UK’s watchdog, reported in May, security at Indian call centres is, in some cases, better than in the UK.

Real issues

That’s not to say there aren’t real issues to consider when it comes to outsourcing and offshoring.

Take, for example, the new regulatory environment put in place in the wake of corporate scandals such as Enron and WorldCom. Most prominent are the Basel II regulatory framework – an overhaul of capital adequacy rules for banks – and the US Sarbanes-Oxley Act, that has reformed corporate governance and affects any company whose shares trade on US exchanges.

Imagine you’re a European company that keeps its taxation records electronically and that the computer you use is operated for you by an outsourcer. Now imagine the outsourcer decides to move the computer from Europe to one of the southern states of the USA. The service is the same, so should you worry?

The answer is yes. Along with the computer, the tax records have moved and, if you did that without the permission of the relevant tax commissioners, they can make you bring them back. Even though it may be your outsourcer that made the move, it’s still your firm that has to comply with the law.

The Sarbanes-Oxley Act is another example. It says a firm can’t share the risk of compliance. So, if your service provider fails you, sure you can sue them, but the government will still come after you for non-compliance.

The bottom line is that you can outsource the implementation of security all you like, but you can’t abdicate your accountability.

Cleared for contact?

When you hire another company to interact with your customers on your behalf, there are other issues to think about – most importantly, the confidentiality of customer data. These apply no matter how you are communicating – whether it’s by voice, email, through a web site or by text message.

There are several key areas to consider.

First, you need to ensure that customer data is supplied to your service provider only in accordance with the relevant laws. The European Union’s Data Protection Directives, for example, address the issue of exporting such data to other countries.

Second, it’s important the supplier takes adequate steps to protect any data it receives from you or collects on your behalf. If the company is based in another country, it must respect the laws you are bound by, and not just those that apply there. Depending on your business, you may also have to make sure the outsourcer works in accordance with the laws of the country where your customer is based. Californian law, for example, imposes obligations on those doing business with anyone who lives in the state. Always remember, you can’t ‘contract out’ of the law. The local laws of the countries involved will always take precedence over your contract.

Third is the question of identity verification. The outsourcer must confirm that every person it interacts with is who they claim to be, and be able to demonstrate that appropriate checks were made. It doesn’t matter who processed the enquiry, it will always be your company that’s contractually responsible.

Finally, if your supplier’s staff use your IT systems to do their work, access levels must be established clearly and updated regularly. Rumour has it, for example, that after the chief financial officer left one major company, system administrators found that a cleaner with the same name had been employed and given rights to access all the company´s financial systems. Such accidents do happen, and are even more difficult to prevent at a distance.

What to look for

Of course, you could just stick your head in the sand and wait until outsourcing goes away. Chances are, though, that you’d simply just go out of business. Outsourcing is a real – and valuable – part of modern business, and it’s here to stay.

The important thing, then, is to identify the issues and address them. And as in any other relationship, it pays to have a good idea of who it is you’re about to do business with before you get into the nitty-gritty of routine contract negotiations.

There are four main things to look for:

1. Choose a service provider that is both best-of-breed and proactive. Many will merely give you what you ask for. You need to find a supplier that is constantly monitoring developments and constantly pushing forward the boundaries of what’s possible.

2. Choose a supplier that that does not regard the implementation of security as an overhead but as a core value. You want to be sure they will offer you the most appropriate security solution for your needs, making the best use of current technology at a price you can afford to pay. Many suppliers tend to treat security as part of ‘business as usual’ until something goes wrong. They shouldn’t. It needs to be singled out and taken seriously.

3. Find a supplier that is willing to be flexible in its offering. No one size ever fits all, particularly in today’s market. Many companies want to outsource tasks these days rather than own large in-house capabilities. Whether you just want security consultancy, a managed service model or to outsource fully, make sure the supplier you are approaching has the flexibility to offer you what you need.

4.Find a supplier that is prepared to assure your interactions as well as your security. It won’t be easy – at the moment, what many companies end up with is a hotchpotch of contracts that don’t actually guarantee anything. The supplier needs to be prepared to look at the whole lifecycle of any interaction and give you advice and assurances all round.

Finally, bear in mind that the world promises to get ever more complex – especially where technology is concerned. Both you and your supplier need to be expert in defending your businesses against electronic attack, or to work with a company that’s equipped to handle such things for you. The less honest members of our society will be quick to exploit any gaps that open in your defences.

But don’t be put off. Business is all about taking risks and reaping the rewards, and outsourcing is nothing new. It’s just another area of risk that has to be assessed and understood. And, like other risks, it pays to seek expert advice if you need to. After all, it’s better to be safe than sorry.

Leave a Reply