What are the data security risks companies face when they outsource their work?
Written by: Terri Rue-Woods, Information Assurance/Executive Strategy Officer, e-End
In the wake of several severe cyber security breaches like Best Buy, Sears, Kmart, and Delta, all through third-party connections, cyber security experts advise that companies practice prudence about their associated connections. One so connection regarding outsourcing tasks to third party vendors.
In the past ten years, outsourcing-the practice of handing over control of public services to another private enterprises-has exponentially increased. This expansion could possibly be due to the availability of advanced telecommunication technologies like VoIP phones and shared cloud server that assist with the remote connections. Whatever the initial reasoning, companies now find that outsourcing internal business tasks can significantly cut down on a lot of business over head costs. In addition to financial reasons, according to Deloitte’s Global Outsourcing Survey some companies find that outsourcing can help with a variety of other means. This list includes: enabling them to focus more on the core functions of their business; allowing them to solve capacity issues; and enhancing the quality of their services. In addition, some found that outsourcing was a critical asset to their business needs; while others found that it helped them to manage their business environment better. Lastly, in the survey, many found that the practice helped to drive a broader transformational change in their business for the better. For the majority of the businesses that function using some sort of outsourcing services, the results seem promising. In fact, the Deloitte survey also reported that an average of 78% of business that use outsourced services felt positive with the results and the relationship they had.
However, nothing is 100% perfect. Handing internal services of a company over to another company does not come without some sort of risk.
“The main negative effect of outsourcing is it increases U.S. unemployment. The 14 million outsourced jobs are almost double the 7.5 million unemployed Americans.” Says, Kimberly Amadeo, a senior-level corporate economic analysis from the Balance.com. In her article, “How Outsourcing Jobs Affects the U.S. Economy - Seven Things You Should Know About Outsourcing”, she fears that “The pressure to outsource might lead some companies to even move their whole operation, including headquarters, overseas.” Also that “Others might not be able to compete with higher costs and would be forced out of business.”
“It’s become synonymous with corporate irresponsibility but outsourcing also offers jobs and community programmes [sic]” as argued by the Paul Klein, president and founder of Impakt and author of the article, “Outsourcing has a bad reputation but are there reasons to be cheerful?” featured in the Guardian.
Both concerns are practical in nature, but not the biggest or by far the more important. When surveyed, roughly 160-170 US senior executives from a variety of industries discovered that about 91% of respondents were more concerned about their data security and information theft while outsourcing. According to the survey, when asked, executives noted that cyber security is an extremely important factor in choosing an outsourcing agency apart from things like business stability and financial strength. It’s so crucial that many companies are willing to pay an additional fee for extra security.
In a very recent study featured by the NT Bureau, authors for News Today.com, 10 companies in India were reviewed for their due diligence in client data security efforts. Their report revealed that sadly, “Most organisations have cyber security functions that do not fully meet their needs; more than half of the organisations are investing in analytical capabilities as a first step,” it said. The report went on to say that, “The executive management in five of the 10 organisations has limited or no understanding of cyber security.” The report centered on companies in India. As bad as this news can be, it only stands to get worse when we consider that India is one of the most popular countries for outsourcing. India’s National Cybersecurity Policy generated in 2013, unfortunately has been slow and sluggish to push for the necessary reform and updates needed to deal with the ever growing demand and sophistication of today’s cyber threats. Despite its fast pace growth of being the leading provider of outsourcing labor, India waits for its government to grant them the needed new policies.
Outsourcing tasks and projects to third-party companies isn’t a bad practice. Some advocates of outsourcing believe that despite the loss of some U.S. jobs to foreign country outsourcing (and offshoring), the results are more beneficial to less-developed nations. And in the long-run financially speaking, outsourcing can increase a company’s profits due to things like lower labor cost.
So from a data security aspect, what CAN Businesses looking to outsource do to not become victims? First off, it’s important that if a business is interested in indulging in outsourcing whether it be local or international, they are taking the initiatives to conform to certain laws. One out of 5 organizations are non-compliant with their own state and federally required data security regulations. It’s suggested that with proper policy rules, companies stand a better chance avoiding data breaches and costly fines due to compliance violations. In addition to the creation of said policies, it is a good practice for businesses to conduct random policy audits to ensure their enforcement.
Secondly, it’s recommended that companies make sure their employees are trained for all new and adjusted policies. Monthly training sections, tests, and even hiring consultants such as legal and security executives are ways to teach staff about proper cyber security tactics. According to the Center for Internet Security, Two-thirds of 2015’s security incidents in the public sector were due to human error and intentional abuse of privileged accounts. (Information acquired by a 2016 Verizon Data Breach Investigation Report).
Prior to any decisions of outsourcing, it would be wise for businesses to establish their own security policy set with dedicated practices for how the company plans to proceed going forward. Documentation procedures and agreements that stipulate confidentiality, information transferring, storage, and security protocol should all be in place before awarding any projects.
Lastly, when selecting a vendor to outsource with, companies need to be particular. Many high-level executives that benefit from outsourcing services agree that up-front requests for a vendor’s cyber security policies and practices within the initial RFI makes selecting an outsourcing partner easier down the road. This deep look into the company’s business operations and conflict resolution methods especially concerning information security and data breaches is the very insight necessary to help you formulate an idea of what your future relations may be like.
Making a selection for an outsourcing partner isn’t an easy task. For the many reasons companies choose to go for outsourcing and working with another company one thing is clear, it is a good idea to make the safety of your data a top priority, both before you work with a third-party company and after.