Risk assessment on the rise
Despite concerns over security standards among offshore outsourced service providers, companies will continue to outsource offshore in an attempt to cut costs. In this context, remote risk assessment is likely to become an increasingly valuable tool alongside companies' own security protocols.
The PA International Outsourcing Survey 2009 predicted the global outsourcing market would rise by more than 8% in 2009 and found that 31% of companies surveyed planned to increase their commitment to outsourcing this year. However, it warned that 'short-term cost gains are likely to be achieved at the expense of fast rising corporate risk'.
A survey undertaken by YouGov on behalf of IT assurance specialist NCC Group and published earlier this month reported a significant increase in organisations using remote risk assessment of their third party suppliers as the trend for offshore outsourcing continues. The survey found that 20% of IT managers in large companies believed outsourced systems were less secure than those based in-house.
"IT security risk assessment is commonly disregarded as costly and time consuming, but it has an important place in evaluating the controls implemented to protect an organisation's information systems," says Nathan Jackson, director of advisory at NCC
With the UK Information Commissioner's Office having indicated that it can implement data breach fines of up to half a million pounds, risk assessments of third parties should be even more of a priority. According to Jackson, assessing risk remotely is hugely cost effective as it reduces the need for travel and - as it can be carried out more often - it gives the buying company greater assurance that any supplier is compliant at all times.
Companies can also take steps independently to improve the integrity of their data, for example by testing their outsource partner's security infrastructure in regard to issues such as power supply and building systems, training the offshore team in data handling practices and finding out how many people will be using and working on their data and setting limits on the flow of information among and between these personnel.
Finally, companies should consider whether they need to share everything with their outsource partner. Implementing data control to manage information exchange and prohibit unauthorised access to vital business information could be a useful strategy.