In outsourced projects, ensuring data security is still your responsibility

About six months ago, I first touched on the topic of security in outsourcing. In this newsletter, I covered the security risks to be considered when outsourcing, and the contractual and operational means of addressing those risks. This week, I want to dive deeper into one specific aspect of security in outsourcing – data security.

Most data theft has an insider component, either the insider actually participates in taking the data or the insider provides key information to the actual thief. It is hard enough to create the internal controls and oversight to monitor your own employees’ activities. Outsourcing further removes you from the operational processes and can leave the door open to insider threats.

We regularly read of data loss in outsourced situations, such as the India-based call center data theft of Citibank customer data or the theft of Bank of America back-up tapes in transport. These big name stories go national but many more are regional, like the theft of credit card data from the outsourcing vendor for airport parking at Denver International Airport. Even more go unreported. And who knows how many go undiscovered.

It often takes a series of significant losses to affect process change across an industry. I worked for several years in the banking industry in ATM and debit card processing. A few big insider attacks in the late 1980s changed the standards for handling personal identification numbers (PIN) from software-based authentication to hardware-based authentication. Even though the encryption standards of the day were sufficient to protect PINs from outsiders while data was in transit, programmers of the systems could get PIN data in the clear out of the memory of the processing systems…and some did. Eventually the industry addressed the insider threat by requiring hardware-based encryption, which was tamper proof and kept insiders at bay as well as outsiders.

So why is most data stored in the clear where it can be touched by insiders? This is a threat in your own data center and it is a threat in an outsourced data center or BPO situation. Clearly there is a cost to encryption, both in the software and the processing overhead. There is also latency when using the data, as you have to wait for it to be decrypted. But advances in processing speeds and encryption products, as well as the increased understanding of the risks has changed the cost benefit relationship for deploying protection for stored data.

The newly formed Data Security Chapter of the International Association of Outsourcing Professionals (IAOP) recently conducted a survey of more than 100 attendees at its national summit. More than 90% of the respondents stated that data security breaches that occurred while outsourcing would be “catastrophic” to their business. The survey also uncovered confusion over who is responsible for data security – the service provider or the customer. Fifty percent said both service providers and customers are responsible, while 30% believe the customer is responsible, and 20% believe service providers are responsible.

I want to reiterate the theme of my earlier newsletter on security in outsourcing…you can outsource the work but you cannot outsource the responsibility. If your data is stolen from an outsourcer, your business will be impacted just as significantly as if the data were stolen from your own operations. As data protection methods have improved and risks have increased, it seems it is time to give more thought to protecting data at rest.