Companies that outsource their requirements often consider the possibility of using offshore resources. Outsourcing strategies increasingly adopt use of offshore components. Now, with the sluggish economy in the US and the prospects of savings, more companies look to outsource their IT projects offshore.
However the security of their data had always been a concern with the companies (Rosenthall, 2003). Despite these concerns sensitive data are exchanged, processed and delivered by using appropriate security measures.Today sensitive documents including personal records, medical, legal and financial documents are transferred across shores. By having appropriate security measures in place, data are moved securely between the company and the service provider. To mitigate the risks associated with outsourcing at the initial stages itself, the firm should be capable of identifying the chores that are appropriate to be outsourced and those that need to be done in-house.
Separation of main functions from support functions is itself more associated with security procedures, historically (Weinschenk, 2003).According to Ian Marriott, the research director at the technology research and consulting firm Gartner, data security would soon be a priority among companies which outsource their work offshore. With IT projects being outsourced to China, Russia and the Baltics, there is much concern on the possibility of the government intercepting and inspecting the data. There are also considerable risks with regard to intellectual property that are associated with patent rights, trade secrets and copyright etc.
Such risks are however lower in countries like Australia, Canada and Ireland, which too offer such offshore services. Marriott is of the opinion that companies would soon consider near-sourcing possibilities, in an attempt to cut risks. Companies would also consider setting up their own captive data hubs or even try out low risk countries for their projects. Data security issues have gained momentum as worldwide offshore and near-shore spending on IT services is expected to be more than $50 million in the next couple of years (CMP Media, 2004).Gartner predicts that the Indian cost for application based projects would shoot by 35 to 60% in the next three years However; companies would still see cost benefits, apart from value addition, when outsourced. Companies in the financial industry have been taking precautions within their offices and headquarters, to thwart off efforts by hackers and intruders.
However when applications or relevant projects are outsourced overseas, these firms have less control over the security of their data and are fully dependent on the security precautions of the service provider.Legal obligations on the part of the firms like complying with Gramm-Leach-Bliley law, cause firms to ensure proper security for their data. The Sarbanes-Oxley Act calls on the CEOs and CFOs to certify that appropriate measures were adopted in the processing and reporting of their financial data, to uphold the integrity of the data. To ensure compliance with the best practices as required by the US regulations, financial firms assess their service providers and evaluate their security procedures.The financial firms verify the physical security process, password regulations and employee background verification procedures of the service provider, as part of their evaluation. Many CIOs and data security experts are of the opinion that data security and risks are similar with both, domestic service providers and overseas providers.
However the risk factor is increased when the data is transferred beyond national boundaries. Firms adopt several measures to reduce exposure and risks like keeping the data servers in the US and not at the overseas service provides place.The projects sent over shores are mostly relevant to application development, and are rarely live applications. For testing these applications, only fictional or mock data are sent (CMP Media, 2004).
Live applications under production can be safeguarded by creating a test zone specifically for the service providers, so that they need not venture into the production zone. Data security of the financial documents can be enhanced by masking the relevant data. Companies can avoid the use of Internet for data transmission and use exclusive dedicated lines.However when such security measures are adopted, the associated costs are also high. When IT projects are outsourced, the company should deal with its data security directly in the service providers place, to whichever extent possible. Greg Silberman from Kaye Scholer suggests that when data is to be transferred to another country, one should always determine whether that country too has the same privacy and protection laws.
It might happen that countries like India, which outsource projects, have privacy and data protection laws too; but the legal process would be slow and lengthy.To make the legal implications on the service provider, be more effective; the contract between the US company and the Indian provider can be made according to US laws, and under jurisdiction of US courts. The firms also take a role in the handling and control of their data in the premises of their service provider. Here the firms reduce security risks by selecting who would have access and who would not have access to their data. The firms also restrict and regulate the timings for data access.Although service providers may have extensive security measures in place, the outsourcing US firm can help in identifying loop holes in its security procedures.
The outsourcing company can build up on the measures already in place. Cortese from Lehman points out that it is equally important for the servicing Indian firms to ensure that there is no breach of security, as any security lapse would be the end of their business. Many Indian companies are highly dependable with regard to data security. Their innovative efforts help the country in being identified as an outsourcing destination with high data security.
The Indian service providers have successfully put in place, rigid security measures even in the absence of any regulatory compulsions (Flat World Solutions, 2008). They ensure that a particular customer’s data is accessible only by those people who are working in it. Some Indian companies even use biometric parameters for their security, like palm reading and retina scan. The employees at most servicing companies have to gain access through magnetic cards, and the entry and exit points are always under video security.The bags and belongings of all people entering or leaving the facilities are searched. The floppy drives, CD drives which can facilitate data copy and carry away, are all removed from the workstations.
In addition to this, items like pen drives, floppies and CDs on which data can be copied, are not allowed to be taken into the premises. Apart from disabling media drives, email is also disabled and printers too are not connected to the computers. Despite the steps taken to ensure data security it would still be possible for a breach to occur and go undetected for sometime.Systems EXPERTS Corporation’s president Jonathan Gossels says that application development is prone to several security risks when outsourced. A programmer can embed a hidden code which could help someone to access it at some other day and even take over the complete application itself.
Since offshore outsourcing companies like those in India, work with several financial firms simultaneously, it is possible for an employee to engage in espionage by revealing a firm’s financial data to its competitors. The risks are out there but they can be definitely managed by appropriately using the right mix of people, technology and funds.