Consider security before outsourcing business functions

by Jonathan Yarden | Sep 23, 2005 7:00:00 AM

Tags: Jonathan Yarden, security, outsourcing, outsource, Jonathan Yarden, Internet Security Focus Newsletter

Takeaway: Outsourcing has long been a raging debate in the IT industry, and both advocates and opponents argue the issue passionately. While Jonathan Yarden's not about to get in the middle of this dispute, he does have one caveat for companies that decide to oursource services: Don't abandon security in the name of cutting costs.

When it comes to operation costs, human labor is the most significant expense for any company. It has long been a common practice for companies across the globe to look for—and find—cheaper goods and services in other countries.

It's a fact of life that successful companies minimize cost to maximize profits. Since the major cost for companies is human labor, minimizing that cost with overseas outsourcing is one way to increase profitability. Outsourcing labor to other countries as a cost-savings measure is nothing new.

In the information age, it's a common practice for companies to outsource business functions overseas that they don't consider "cost-effective" domestically. This is where traditional methods collide with Internet and information security.

I am by no means suggesting that companies shouldn't outsource their business functions overseas. However, it is imperative that companies make sure they enforce the same rules and regulations that apply domestically.

Cheaper labor doesn't always translate directly into cost savings. Many companies neglect to consider factors other than cost when outsourcing overseas, such as security and privacy.

For example, one company outsourced to another until medical records for a California hospital ended up in Karachi, Pakistan. A medical transcriptionist in Pakistan threatened to publish patient records on the Internet because her employer had not paid her.

It wasn't good publicity for the hospital, and it was a terrible breach of security and privacy for the people involved. And, because the woman works in another country, U.S. regulations are virtually unenforceable.

There are also numerous cases where audits of software developed overseas have uncovered unexpected vulnerabilities. Make no mistake: The same security concerns apply for any company using offshore technical services, especially when the Internet is involved.

Companies expecting to save costs by using overseas labor may find that saving money is less important than protecting information security. While there's no way to completely ensure security, there should certainly be restrictions on what exactly companies can outsource. In addition, there are some areas that companies should never outsource in the first place.

Remember: Outsourcing takes security out of your company's hands and puts it into the hands of another organization—and you must be sure you can trust its security measures completely. Companies need to monitor their own behavior when it comes to offshore outsourcing.

In my opinion, it's inevitable that companies will eventually change their economic models to include information security. But in the meantime, most companies forget entirely about security and privacy concerns in an effort to save costs.

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Print/View all Posts Comments on this article

Not only offshoreIndyJoe  | 09/26/05

What about Legal liabilityIT cowgirl  | 10/07/05

Too much risk to John Q Publicgregorym2  | 10/12/05