Outsourcing – the weakest link?

17:31 25 March in cyber insurance, Cyber security, outsourcing by robp
1

The FT today has an article on the dangers of trusting subcontractors with your company data.

Security experts generally decry outsourcing, maintaining the drive to lower costs means security is forgotten. There are some reasons to be sympathetic to that posture. The modern organisation is utterly reliant on its information and information systems, and spends (hopefully) time and money ensuring both are adequately protected. Handing all that over to a third party obviously incurs some risk.

For most organisations the risk can be managed however there are some considerations. Firstly the driver for outsourcing is cost. One of the reasons that IT outsourcing can appear extremely cost effective is because corporate assets are not appropriately valued. Your data has value to your organisation, and subsequently cost will be incurred if it is stolen, destroyed or used inappropriately. If you save a million pounds in IT support costs over five years, but your customer database was hacked by organised criminals the resulting fall out and reputational damage may dwarf the saving. It is also worth remembering the risk is still yours. Even with the best written contract and insurance, if there is an issue it is your organisation that will feature in the media. A payout and admission of failure by a provider is of limited use if it comes after your customers have deserted you.

That said, outsourcing can and does work effectively and safely. After all, the same bad things can happen if you hold your own data and run all services in house. So key to successful outsourcing from a cyber security perspective is the contract (obviously you want to be sure the organisation can deliver the service it says it can, and isn’t about to go bankrupt, but these are not cyber security issues). Outsourcing contracts should contain clauses specifically security focussed. Your data should be protected at least as well as you’d protect it yourself. Focussing on the ends (protecting the data) rather than the means (specifying a technology) provides flexibility, and means you won’t incur expensive change requests when a vulnerability is found in a particular piece of encryption software that you specified in your contract. Adherence to specific standards by a supplier (such as ISO 27000) is a good sign, but should not be considered a replacement for proper due diligence.

Contracts should be reviewed by your security staff, and the data owners at your organisation. For significant or particularly sensitive contracts legal advice from lawyers who specialise in contract security clauses is also recommended.