In Depth

Offshore Outsourcing: Don't Forget IT Security

Offshore outsourcing may save you money, but it also creates new risks. Here's a guide to necessary IT security measures

By Christopher Koch

Page 5

Both CNA and BNSF have staff who work on securing and monitoring the outsourced work. Both manage the networks that the outsourcers work on and provision the servers and PCs used by the providers with software they assemble and update themselves. They monitor network usage themselves and audit that usage as they would for internal employees.

It ain't cheap. For business process outsourcing, which can involve highly sensitive data, risk management measures can eat up 15 percent to 19 percent of the cost savings of going offshore, according to researchers at Tower Group. For software development, which involves less access to sensitive data, due diligence and risk management eat up 6 percent to 10 percent of the savings. Yet even then, the overall savings are there.Best Practice Two: Perform Due Diligence Work Up Front Due diligence does not mean reading a provider's customer list and watching a PowerPoint show about its security practices and metrics. Nor does it mean accepting claims that the vendor adheres to international security standards like COPC, an industry quality standard for customer service contact centers, and Safe Harbor, which covers European Union data privacy protection rules.

Given the dramatic growth and turnover in many offshore companies, customer references age quickly. Worse, customers may not admit to security problems they've experienced offshore because they fear bad publicity if word of the problems reached their own customers and the media. Indeed, very few companies were willing to go on the record for this story or discuss their offshore security practices.

Companies we spoke with said they hire security consultancies that have employees in various offshore destinations to check out the local reputations of the providers and do employee background checks. These companies also hire lawyers in the outsourcing destination country who have a good knowledge of data protection and intellectual property laws. They check up on the outsourcing companies and examine provisions in the contract to see if they will be legally enforceable.

Security due diligence takes time, cautions Sony's Wheatley. "People watch too many cop shows. They think we can find answers to security issues in 12 hours," he says. "It doesn't work that way. Seventy to 80 percent of the time we find something that is bad enough not to do the business or get out of it if we're in it. Then we need time to figure out a solution or have the ability to walk away from the deal. Sometimes two weeks turns into four months when we find problems. It can take time to check these things out."Best Practice Three: Lock Down the Infrastructure From the moment CNA began sending BPO and software development work offshore in 2002, it took full control of the computing infrastructure at its outsourcers. CNA configured servers, laptops and PCs in the United States with all the software that CNA's outsourcers' employees would use. CNA sent staff along with the computers to set them up in India and connect them with CNA's dedicated network connection. Firewalls at the provider location and back in the United States help prevent any viruses on the local network at the provider, or from the network back home, from getting through to the hardware. When the outsourcer's employees log in to the CNA network, software and security updates are automatically loaded onto their machines from CNA after a process of software inventorying and validation has taken place.