IT outsourcing on the rise but how does it impact security?
Technology has made the workplace much more complex. In a small office, the onslaught of technology and the need to keep pace has made it necessary to outsource at least some IT functions. According to recent research conducted by IDG, a quarter of IT workload is now outsourced, compared to 18 percent two years ago. That number is expected to rise.
With this move to outsourced IT, data security takes on a more urgent priority – an issue that companies recognize, as IDG found security requirements to be the top outsourcing concern for nearly two-thirds of organizations interviewed. However, what also must be looked at is how the outsourced IT and internal IT can work together to ensure that security practices are cohesive rather than fractured.
“Outsourcing can make the organization more agile and move faster, but for that, the two IT functions need better controls to be in place,” said Vishal Gupta, CEO of Seclore. “The internal IT should place trust in the outsourced IT for them to support the outsourcing without compromising on security, compliance or privacy.”
Risk is the most significant driving factor behind what can and cannot be outsourced, Gupta continued. “Since the biggest risk is to data, I would recommend that internal IT take a very data-centric approach to security. The need to take the data-centric approach to security arises because it becomes very difficult to control applications, devices or networks in a complex outsourcing environment.”
While the biggest risk itself may be to the data, Reg Harnish, GreyCastle Security CEO, is quick to point out that we have to consider another risk: the unknown.
“If you have a concrete answer that you can trust, you can always work around it. For example, if you tell me there’s a bridge that’s broken on my evening commute – I can work around it and go a different route. If you don’t tell me the bridge is out – I will then be delayed going home, or worse, drive into the river,” he said.
It’s the same concept with cybersecurity, Harnish added. There will always be unknowns you can assess with a cybersecurity program, but you can’t see it, touch it or feel it. However, you can be prepared as best you can by doing your homework about the outsourced vendors and their approaches to security. That begins with understanding the function areas that would be most damaged should there be a security incident. This would include any data under compliance regulations like HIPAA or PCI. You should ask basic questions regarding the third-party’s framework surrounding compliance. Are the vendor’s cybersecurity frameworks in sync with your company’s? Is security practices something the outsourced IT vendor is willing to discuss openly with internal IT and is the vendor open to regular security audits?
Even though more businesses are looking to third-party vendors for IT, many are fearful of outsourcing due to cybersecurity concerns. “Ironically, third-party vendors are generally more secure,” said Harnish. That’s why he encourages internal IT to use the same security measures as their external IT, especially if that company’s cybersecurity is well-regarded. Remember, too, he added, cybersecurity isn’t always a technology problem, but a communication problem. The more the IT professionals are able to communicate with each other, the more secure your data will be.
That, of course, is assuming that the company has someone internal to handle IT and data security. Smaller businesses may need to outsource all of their IT functions. If that’s the case, outsource with extreme caution, Gupta advised.
“When you give a third-party complete control of your IT ecosystem, you are essentially putting your businesses’ future in their hands, since it only takes one data breach to ruin an organization’s reputation,” he said.
He recommended that companies planning to adopt a fully outsourced IT model should closely assess the solutions deployed by their managed service provider, as well as the employees that will be responsible for your systems. Again, it comes down to the human component of cybersecurity.
“If the team isn’t one you’d be comfortable hiring for an in-house position, they aren’t qualified to be on your outsourced IT team either,” Gupta said. “And if trust isn’t an option for you, make sure the data you share is persistently protected with usage controls.”
In the end, no matter who is in charge of the IT, the liability of the information’s and system’s security lies with the business itself. “You can’t outsource liability,” said Harnish. If a breach happens and records are compromised, fingers will be pointed at the business leadership, not the outside IT support. Businesses need to consider all of the aspects of risks — legal, financial and security – and prepare for everything before looking for outside IT help.