Thursday, October 18, 2007

A preview to security risks in offshoring

Source :

Offshoring can often help companies realize substantial cost savings by sending certain functions overseas, where labor costs are a fraction of those in the United States. However, there is more to consider than just the lower labor costs of employees in India verses their domestic counterparts. In this day and age of heightened security sensitivity, its important to make sure that in addition to going after cheap labor, you are not buying yourself a slew of security exposures as well.The decision on whether or not to outsource should not rest solely with the CFO. The chief security and compliance officers should also be involved because of the many security and regulatoryrelated issues involved with offshore outsourcing.

Data risk exposures

There are two major issues to consider when addressing offshore security and data risk. The first is granting offshore engineers access to computer systems located within your companys network. Are you monitoring the activities of the overseas engineers. If the work thats being sent offshore is projectbased, are you ensuring that access is removed when the project is completed. Do you have security professionals monitoring the activities of the offshore engineers. While all of these activities are critical, they add both complexity and cost to IT offshoring projects.

It is also important to review what type of work is safe to send offshore. For instance, outsourcing production support overseas entails a high degree of risk. Engineers providing production support generally need to have highly privileged access in order to provide said support. Such access also simplifies illegal activities such as data theft and industrial espionage. Give a clever engineer enough access, and he or she can not only steal data from you, but they can also thwart any monitoring software designed to detect such activities.

You should consider projects that dont entail sending sensitive customer information offshore, or granting remote access to your internal network. Software development doesnt require providing sensitive customer data offshore. The development work can be performed offshore, then the code can be securely transmitted to your company. You may consider creating a special offshore/development segment of your network allowing your offshore engineers to work, while not providing access to the rest of your internal systems.

Think about the type of information that youre sending overseas. Will it include sensitive information such as medical records, or tax returns. While privacy laws for electronic data are relatively new here, they are almost nonexistent in many foreign countries. Even where there are legal prohibitions to data theft, the actual number of prosecutions are minimal. Simply put, there just isnt too much risk in committing data theft in many overseas countries, particularly if the victims are foreigners, in this context, that would be you and me.

Background checks

Much of the newhire vetting thats commonplace with background checks performed here in the United States just cant be done in many foreign countries. For example, India just doesnt have the capabilities to perform what would be considered a thorough background check by American standards. In addition, drug testing is generally not done as part of a background check in India. The exception is checks done when applying for an Indian passport. So your company can actually benefit from government background checks by contractually mandating that all employees handling your companys data have an Indian passport.

Can offshoring really save you money. The obvious answer is yes. However, it needs to be done responsibly. Think long and hard before giving engineers located half way around the world access to your companys internal network. Conversely, consider the risks involved in sending sensitive customer information offshore as well.