9 Tips for Outsourcing Securely

Data security risks can be a show-stopping problem for companies that outsource business processes. While business process outsourcing (BPO) confers many benefits on a company — notably cost savings and flexibility — it offers many inherent risks. Whether those risks come in the form of compliance problems, legal liability or just bad business practices, companies that outsource must tackle the data security challenges that come with the territory.

If you outsource parts of your business process, your challenge amounts to reaping the financial benefits of the practice while safeguarding the data that must be shared with third parties. If you can’t protect the data, you face serious business risks. If your efforts to secure data used in outsourcing are too restrictive, however, you may render the practice economically impractical.

This article reviews some of the major outsourcing risks inherent in the practice and suggests a set of practical approaches to mitigating those risks, preserving the upside of outsourcing for your business.

Information Security Risk in BPO

Many businesses outsource some or all of their processes. For example, it’s common to have an outside payroll service prepare paychecks for employees. At the more substantive end of the spectrum, a bank might outsource all of its loan payment processing to a third-party provider. In both examples, the primary business had to trust a third-party firm with sensitive information: social security numbers, personal information, credit histories and so on. What happens if the service provider violates the trust placed on it by the company doing the outsourcing? The consequences can be serious, whether the violation is the result of an error, poor controls or outright crime.

Recent news stories and statistics show that security risks in outsourcing are far from theoretical. Overall, according to the Privacy Rights Clearinghouse, nearly 94 million private records (employees, customers, patients, etc.) have been compromised by one kind of security breach or another to date. Those are reported cases. The actual number of stolen or lost records is probably much higher, since smaller incidents of data theft or leakage are rarely detected or reported. Meanwhile, the Javelin 2006 Identity Fraud Report says that identity theft in 2005 alone cost businesses and consumers in the United States more than $56.6 billion.

The 2005 ChoicePoint case, in which the company mistakenly sold 145,000 customer records to a criminal posing as a legitimate marketing concern, brought the issue of corporate data security and privacy to national attention. The incident cost ChoicePoint $15 million in fines, about $100 per record, a relatively light penalty for the breach, considering that many of the people had credit problems or even lost jobs as a result of ChoicePoint’s sloppy information security practices. If the incident happened today, ChoicePoint would have likely faced a far stiffer set of consequences.

The CardSystems case in 2006, in which a service provider allowed criminals to steal thousands of credit card account records because of lax encryption and data retention policies and enforcement, illustrates the risks that a large bank faces when it places its good name in the hands of another company. Similarly, Citibank lost thousands of credit card records when a data backup tape disappeared from a UPS truck in 2006. In the context of these enormous liabilities, why are today’s companies so vulnerable to data security problems?

Key Security Issues

A core issue in understanding why companies are so vulnerable to data security breaches, especially in outsourcing situations, is just the pure complexity of the security process itself. Many companies dealing with large volumes of data in rapidly changing outsourcing arrangements have themselves just figured out how to secure all that information. There are just too many data sources to protect and too many variables to be considered. It’s like learning how to swim one day and then going out to surf in a major storm the next. The swimmer simply isn’t up to the task physically or mentally.

The growing sophistication of today’s hackers adds to the problem. They’re more astute, more skilled and more daring than ever. They’re capable of breaking through even the most complex defense systems since most companies’ defenses are using the equivalent of World War II weapons against 21st century attackers. As InfoWorld reported in October 2006, though the rate of cyber attacks is down, the level of damage done and the complexity of defending against attacks has risen radically. Today’s large companies face threats far more dangerous than mere discontented employees or teenage hackers. They face organized assaults from large, well-funded international crime syndicates.

In addition, far too many companies — including a lot of household names — still maintain an “It’s not going to happen to me” attitude toward securing data used by service providers. As naive as it sounds, many organizations fail to take the necessary steps to secure data because they’re convinced that a security breach won’t happen to them, since they have traditional defenses in place like firewalls and intrusion detection systems. Instead, they stick their heads in the sand and leave the rest of themselves exposed. Unfortunately, it often takes a catastrophe, like a stolen or lost laptop or a major attack to their customer database, to convince them otherwise. By then, it’s too late. Damage control is their only recourse.

Typical Security Problems in Outsourcing

The security issues associated with securing customer data are relatively similar, whether you outsource or not. With outsourcing, however, there’s an added problem. When key functional areas such as call center operations, are outsourced, people dealing with your customers must have access to the databases containing your data; otherwise, they won’t be able to do their jobs. There’s no way around it.

Here are some of the typical security problems companies that outsource expose themselves to when they provide access to their data:

  • Hacking
  • Dishonest insiders
  • Exposure online — another form of hacking
  • Lost backup tapes
  • Lost and stolen computers

On the surface, the problem seems relatively straightforward. Access control rules should solve the problem. Unfortunately, it’s a lot more complex than that, and that’s where organizations leave themselves vulnerable.

Companies have two main types of data in their data centers — application and document. Application data is contained in databases and accessed by front-end applications like enterprise resource planning (ERP) systems, customer relationship management systems (CRM) and custom applications. Document data is contained in documents like presentations, spreadsheets, word documents and emails. Companies handle thousands of these documents daily without tracking where they go. This creates an exposure to unintentional disclosure of confidential information. In the worst case scenario, it results in insiders profiting from selling customer or proprietary data to identity thieves, organized crime rings or corporate spies.

Application data is stored and processed in database servers accessed by client applications, such as Web front-ends or regular applications and Web services. The databases and the hosts containing them are susceptible to attacks. Access to this information is usually through proxy, which in this case is an application. The major risk here is privilege abuse from internal or external sources.

Privilege abuse refers to a data breach committed by an authorized user testing the limits of the security system. We use the term “privilege abuse” rather loosely. When mentioned, people automatically think that the abuser is someone who’s been granted access to the information. While this is generally the case, it isn’t always. Anyone with a user ID and password can access the system. Usually, access privileges are easy to obtain and escalate since many databases aren’t locked down properly. This scenario allows more access than necessary for different job functions. A case in point is the recent AT&T online data breach in which hackers accessed the records of about 19,000 customers from its online store.

Securing Application Data

If you’re a company that outsources services, you can take steps to protect application data from a security breach. To do so, you need to know the following:

  • Who needs access to the data?
  • What specific access do they need?
  • What are the typical usage scenarios?

Part of the problem is with the software itself. Data security was an afterthought when many software applications were first developed. As a result, the authentication systems used by many databases aren’t powerful enough to protect the data they contain, leaving companies vulnerable to attacks. Even if a database is programmed to know who has access to the data and what they’re allowed to do with it, it still must have the means of enforcing those usage profiles to protect its data. Unfortunately, enforcing usage profiles can be dicey.

For example, how do you differentiate between a policy abiding employee and a disgruntled user if the auditing and logging functions on databases are turned off? Many companies shut these functions off because of the toll they take on system performance. Another problem is logging. A log is a useful security feature, but it’s designed mostly for forensic investigations. It enables investigators to follow a thief’s tracks (which we hope will lead to an arrest — frankly, an unlikely prospect), but that’s it. A log can’t protect the information once it has been stolen.

In addition, the applications themselves are vulnerable to attack. To protect oneself against this type of breach, your IT staff must keep up with the patches issued for these applications. That’s not easy. In the last few months alone, for instance, Oracle has issued over 100 patches, and Oracle is just one of numerous vendors out there. Applying patches for every application in your system is nearly impossible. It could keep your staff busy around the clock.

Securing Document Data

Protecting document data is also a significant challenge. Organizations handle vast amounts of document data daily. This data is often contained in one of the most vulnerable formats of all, Microsoft Excel. Access to information contained in Excel files is not difficult to gain. The difficulty of protecting data in Microsoft Excel files, however, pales in comparison to the problem of protecting data contained in e-mails. How many e-mails do your employees send out each day that include attached documents?

If you have a disgruntled internal or service provider employee who wants to steal personal data for his or her own gain, there’s little you can do about it — especially if their privilege level allows them access to the data. This is an entirely different problem from protecting application data. All you can do is limit the amount of damage incurred through a security breach. Are you going to allow employees access to information on 10,000 people individually while at the office or are you going to allow access to your information through an Excel spreadsheet using a USB device, which can be taken home?

Securing Your Information

If you want to outsource — and, indeed, you may have no choice but to do so — the challenge you face involves securing the process without running up such a huge bill for security that the entire practice becomes a financial loser. Despite the risks you face as a company that outsources, you can protect your data when you work with service providers. Here are nine steps you can take to do so:

1. Get Your House in Order

Before going outside, make sure your own house is in order. Have a realistic security policy that includes data classification and that distinguishes common from sensitive data, as well as how each type of data should be handled. A good security policy includes clearly understood standards and guidelines that have been agreed upon by both business managers and information technology professionals in your firm.

2. Choose Vendors Carefully

Make sure the service provider you use also has strict security policies, starting with the hiring process. This rule applies to all types of vendors, but especially to offshore companies. Security policies look great on paper, but make sure they’re enforced to the fullest extent. The fact that a vendor doesn’t allow people to bring USB devices into an organization is useless, unless there’s a specific control that prevents your data from being copied to this type of device or there’s a way to disable access to the devices altogether.

3. Principle of Least Usage

Adhere to the principle of least privilege as a guide and have a way to enforce it. In other words, have a means to monitor and enforce material exceptions. If an employee works with 10 records at a time, don’t allow access to 10,000 records at one time.

4. Understand the Privacy and Intellectual Property Mindset

Many countries have very lax intellectual property protection laws. Make sure that the vendor you chose is willing to abide by your privacy and intellectual property policies since a misunderstanding can be costly.

5. Use Protection

You can address the two issues above with a combination of database monitoring gateways and application layer firewalls. These devices have the ability to enforce usage policies as well as prevent privilege abuse and vulnerability exploitation. Some vendors integrate both functionalities, which is the best approach.

6. Monitor Traffic

Make sure the service provider monitors outbound Internet traffic and emails for potential information leaks.

7. Provide Education

Make sure the vendor educates its employees on handling and safeguarding sensitive data, since data disclosure isn’t always malicious. Many cases exist where an employee took data home to work on and left it sitting in a laptop in unencrypted files.

8. Conduct Security Audits

Wherever the data is stored, make sure you conduct an application/database security audit as well as regular network security audits. An audit identifies issues with the applications, databases and devices on the network serving them and unearths potential vulnerabilities.

9. Review Prevention Technologies

Inquire about prevention technologies and the policies associated with them. Does the service provider have the technology available to control data flow? Are its policies enforced by its IT staff and are they adhered to by employees? For example, if there is sensitive data stored on a specific file server, is there a way of preventing those files from being emailed to other people or copied to removable media?

None of these steps will protect customer’s data completely, but they will minimize the risk, exposure and liability data theft brings. A good rule of thumb when dealing with an service provider in an outsourcing scenario is to make sure it has as good a security system as you do, if not better. And make sure your IT team stays on top of the latest advancements in data security. You can’t secure what you don’t understand.

Useful Links

Privacy Rights Clearinghouse
http://www.privacyrights.org/

Javelin Strategy and Research 2006 Identity Fraud Report
http://www.javelinstrategy.com/products/AD35BA/27/delivery.pdf