The Global Sourcing Association
The Home of the Global Sourcing Standard

Outsourcing a security risk, say new surveys

First, apologies for my recent absence from this blog, having been laid low with the festive and traditional pre-Christmas bug.

Barely a month goes by without a security survey, and this month's brace of them comes garlanded with misery for the year ahead – if we believe the results.

Recent surveys by security specialists Lumension and Websense have identified outsourcing and cloud computing as two major security concerns for 2009. The companies say that as the chilly economic climate forces firms to slash costs by cutting specialist staff and moving provision to third parties, data will be at risk both in transit, and in the hands of external organisations.

Of cloud computing (yes, I've given up fighting the term), Lumension says that 61% of its respondents said they were concerned about hosted services providing the opportunity to steal trade secrets and other sensitive IP – while Websense was concerned about the growth of browser-based services (without which it would have no business).

Now, while such surveys give the broadsheet technology supplements something to reproduce unquestioningly, these are the kinds of question that most IT managers would say they're worried about, as they'd look foolish if they said the risks never crossed their minds.

However, most of the security stories we've reported on this site over the past year suggest that the real threats are internal, rooted in staff error (or malice), lax data management, email usage, and the risks of carrying large amounts of data on portable hardware, such as USB sticks, disks or laptops.

Certainly, outsourcing providers have been implicated in a handful of public sector security lapses, but the most serious governmental 'breaches' have been nothing of the kind: in almost every case, they have been down to a woeful lack of management and an apparent lack of commonsense.

There is a world of difference between, on the one hand, storing sensitive information on a memory stick, a CD-Rom, a laptop or even a sheet of paper (that most sustainable, uncrashable and portable technology) and, on the other, entrusting it to a company whose business is hosting and securing your data. The former carries much greater risks than the latter.

So while such surveys are useful and occasionally insightful they are also a form of soft advertising for the companies concerned: a useful PR strategy to get their names and business models in print or pixel – and there's nothing wrong with that.

But it's worth bearing in mind that stoking people's fears about those big bad data stalkers who lurk outside the company gates is usually counter-productive. As we've discovered so often this year, the real villains are you and me.

It's not the man in the black hat or the cyber-terrorists in the basement that put our business at risk, it's the guy in the postroom who wasn't told about policy, the man on the train distracted by a phonecall, the admin assistant with a hole in his pocket, the disgruntled middle manager whose job is being axed, and the senior exec who talks too loudly on the plane (trust me, I've sat next to him).

Unless you're confident that every employee from the chair to the receptionist knows not just how to secure data internally, but also what your legal obligations are, then companies whose business foundation is hosting and securing your data might be a better bet.

The Global Sourcing Association
The Home of the Global Sourcing Standard