Last month attorney Bruce Leshine discussed how buyers can protect their data in an outsourced environment. This month we report on a new data security outsourcing study. Next month we will feature a story on threat detection.
You can't miss the screaming headlines. For example, in April 2005 police in Pune, India arrested three former employees of MphasiS who used account information from customers they dealt with as part of their work at a call center to defraud four Citibank customers out of $300,000.
The thieves got the account holders to share their bank account and PIN numbers. Then, the three former employees and eight accomplices transferred funds from these accounts to fake accounts they created.
Vinay Couto, the Global Leader of Booz Allen's Outsourcing Advisory Services, says in hindsight some companies sent work overseas "too far, too fast." He says they did not assess and mitigate the risks effectively. "Offshoring data security has had some expensive bumps along the way," Couto adds.
Last year Booz Allen Hamilton wanted to know how senior IT executives were dealing with the security risks involved in outsourcing relationships. Specifically, the firm wanted to find out how companies evaluate and monitor an outsourcing supplier's information security capabilities in light of the problems of the pioneers. The result is a March 2006 report called "Outsourcing Security: Concerns Growing."
"As the use of outsourcing continues to grow, so too do the risk to customer and company data that companies must rely on their outsourcing suppliers to protect," says the report. The survey found data security "is an increasingly important issue" for outsourcing buyers. In fact, the survey found outsourcing buyers "seem willing to pay a premium for improved security capabilities." Thirty percent would definitely pay more and 55 percent would consider it.
Data Security Becoming a Supplier Differentiator
The survey found the provider's security policies, capabilities, and track record were almost as important as the pricing and cost savings when buyers evaluated a new outsourcing provider. The overall quality of service ranked number one, with 117 respondents naming it the top criterion. Pricing came in number two (77 respondents), with security a close third at 74 responses.
"This is an important message to suppliers: Invest in data security infrastructure because it's a differentiating factor for buyers," says Couto. "Soon it will be a qualifying factor," he adds.
The survey found companies were more concerned about cyber threats than physical breaches or natural disasters. Theft or misuse of outsourced data ranked even higher than the threat of terrorism. The study found 63 percent were "very concerned" about data theft while only nine percent felt terrorism was a serious threat to the operations of their outsourcing suppliers.
"Buyers want a squeaky clean track record," reports Couto. He says the researchers "were surprised" security showed up in the top three reasons for selecting a supplier.
Buyers Particularly Worried about Offshore Suppliers
But researchers weren't surprised to find buyers felt security risks were "significantly higher" for providers with offshore operations. Three-quarters (76 percent) felt domestic suppliers posed less risk than offshore ones. Providers with operations in India, Asia, and South America were the riskiest, according to the respondents. They labeled China the riskiest place to outsource at this time.
North American suppliers seemed the safest because the US, Canada, and Mexico have robust legal and regulatory environments.
"The message to the governments of emerging countries is: Work aggressively with your flagship outsourcing companies to establish security regulations that US companies demand," suggests Couto.
The survey asked the respondents to list their greatest vulnerabilities due to outsourcing. Disruptions in product delivery and service caused by breakdowns in mission-critical business processes tied for number one with loss of intellectual property or sensitive data due to accidental exposure, theft, or misuse. Loss of customer trust due to fraudulent use of confidential customer data was a close second.
The study found stories like the MphasiS theft has raised awareness of outsourcing's security risks. This, in turn, has caused many companies to review their outsourcing strategies in 2005. Sixty-three percent reported they are "rethinking their existing arrangements in an effort to mitigate risk," reports Couto.
The respondents told the researchers that "defining, monitoring, and integrating security management in outsourcing contracts is a growing challenge." They want more third party audits and independent security evaluations. Buyers reported they visited supplier sites and conducted their own audits. They also checked references from other clients.
The study also discovered a credibility gap in the security capabilities of providers--half the respondents discredited supplier security claims. But the discrepancy was greater in specific verticals. Only 30 percent of financial services respondents trusted even the largest providers' security capabilities.
Two-thirds of respondents were open to some form of US regulation of security standards. But 32 percent felt the government should stay out of it.
How the study was done: Booz Allen Hamilton hosted an online survey and interviewed 158 executives from12 industries. The companies had revenues ranging from $100 million to $10 billion. Eighty three percent are currently outsourcing or actively considering doing so. Over half of the survey respondents were senior executives. The company conducted the interviews from June-December 2005.
Lessons from the Outsourcing Journal:
- Buyers are increasing worried about IT security when they outsource. A new Booz Allen Hamilton study says many are willing to pay more for better data security.
- Suppliers should invest in the infrastructure to protect buyers' data because it is now a differentiating selection factor. Before long it may be a qualifying factor.
- Buyers are much more worried about data security when they offshore. They view China as the riskiest place at the moment.
- Governments of emerging countries need to establish standards to assuage the worries of US companies.
- Buyers don't believe the security claims of the supplier community. So they are conducting their own independent audits.