In-Depth

Offshore Outsourcing’s Pandora’s Box

Not all companies consider the risks—in terms of information security, data privacy, and potential legal liability—associated with offshore outsourcing

• By Stephen Swoyer
• 01/04/2005

Many organizations have embraced offshore outsourcing as a means to reduce IT costs and improve business efficiencies, but not all of them have considered the risks—in terms of information security, data privacy, and potential legal liability—associated with doing so.

The problem: companies that outsource IT processes must invariably expose corporate data to contract workers overseas. As Eric Rogge, a vice-president and research director with consultancy Ventana Research, notes, this opens up a Pandora’s Box of potential issues.

“Once this data leaves the US, the security structure of computer systems, processes, personnel, organizations, facilities, law, law enforcement, and political backdrop changes, potentially with unexpected results,” he writes. “This, in turn, may increase the risks and associated consequences of data security breaches for both corporations and the customers, both commercial and consumer.”

According to Rogge, many commonly outsourced IT tasks—such as software development, testing, maintenance, and administration—require access to corporate data. Access can be either remote (over the Internet) or local (companies ship copies of data to offshore IT sites).

“Research into various leading public companies have surfaced anecdotal cases whereby remote data access and remote data replication of sensitive data warehouse information is done,” he writes. “In some cases, those IT representatives interviewed claimed the data was encrypted. In other cases, the data was not encrypted. In all cases, a certain amount of trust concerning security between a corporation and its offshore IT development partner was required for a successful relationship.”

As a result, Rogge says, organizations must evaluate the risks inherent in any potential outsourcing move before deciding to send IT tasks offshore. “Not doing so places unfair and likely unexpected risk on the organization’s customers,” he argues. “All aspects of the offshore IT site must be considered, including the security of computer systems, data development and management processes, management, development and administrative personnel, organization, facilities, international law, local law enforcement and political backdrop.”

So what's to be done? Rogge and Ventana Research recommend that organizations convene joint committees to assess potential offshore moves. “Ventana Research recommends risk assessments by a joint committee that has legal, technical, and business understanding be performed for any offshoring activity where remote access or remote delivery of confidential corporate information exists."