Outsourcing network services is a common business practice for most large companies. From communication service providers to manufacturing facilities as well as healthcare or financial service providers, outsourcing is an effective way to reduce overall cost of operations and improve customer service. For example, minimizing overhead for server management and storage, automating billing and provisioning services or simply leasing space for cloud storage all have great savings potential. This, however, can pose a serious risk to proprietary information as well as protected customer data so smart vendor risk management, especially with regard to cyber concerns, is needed.
Allowing another company to manage our networks, provide storage space or virtual servers (or any other network service) is akin to leaving our children with a babysitter. We want, or many times – need, the extra help and it allows us to focus more of our time and effort on other tasks. However, we must be able to fully trust that sitter with the care and protection of our children. The same can be said for outsourcing of network services – we must be able to trust that company with our data. The question for organizations of all sizes, is whether we are really doing the due diligence required to warrant that trust. No one is impervious to these types of threats – over the past several years, even the federal government has fallen victim to the risks associated with outsourcing.
Question Cyber Practices Up Front
The only way to truly evaluate the risk is to widen our view of ‘cyber security’ to include other, more traditional, aspects such as Physical security (access control), Internal security (personnel) and Operational security (business practices and operations within the company and with outside partners). Using this framework, we must ask – what do we really know about the third-party we have chosen? Just because a company is based in the U.S. or other ‘friendly’ country, doesn’t automatically mean our data is safe. A few points to clarify when looking at possible companies for outsourcing are:
• Who will have access to my data and the equipment it’s stored on?
• How will I maintain control or ensure proper security measures are implemented?
• Where will my data be sent, processed, managed and stored?
• Who is writing, modifying or reviewing the code for this product?
• Who will have access to my production network for implementing changes, patches, upgrades, etc?
• What kind of access will the company need on my network in order to execute the contract, and how will I audit any activities?
• See 11 additional questions to ask in Tips to Ensure Third-Party Vendors Protect Your Data
Some potential concerns to look for are companies with a small local footprint, but a large back-office in another ‘less-friendly’ location. They may not have the technical expertise to support the contract locally, so they rely on the back-office for most of the heavy lifting. If they don’t have the necessary ‘space’ to manage large amounts of data, they may use another third-party cloud service. We need to know this and look into that possibility as well since our data would spend a vast majority of the time on those servers.
This is where things start to get difficult. What if the original company we outsourced to doesn’t have the resources to support us, or has outgrown their capabilities? They may decide to sub-contract our services out to someone else. This may not sound like a big deal, but this is where we have absolutely no visibility unless we’ve planned ahead.
Outsourcing Best Practices
We need to get in front of these risks with mitigating or preventative measures before they require any reaction on our part – after all, the best defense is a good offense. An easy way to maneuver ourselves into a more advantageous position when outsourcing is to follow a few simple rules of thumb:
• Review what processes need to be outsourced and simplify them as much as possible beforehand. This will allow for easier management and better visibility when auditing.
• Outsource only what is necessary. Don’t sign up for complete managed services if cloud storage is all that’s necessary.
• Maintain primary control over who has access, and at what level, to network systems (especially production systems).
• Ensure there is an independent capability to monitor and audit activities that is not simply a function of the provided solution.
• Insist on full compliance (with deadlines) for any future requirements. Don’t let everything run as it did when the contract was originally signed – make sure the procedures and requirements conform with changing standards.
• Carefully (I mean VERY carefully) review the contract terms. It’s best to include not only a legal review, but operational and technical reviews as well. Use personnel who are technical experts and familiar with the company and its operations.
• Always check your cyber insurance policy for sub-limits and exclusions. The breach of a third-party service provider could impact your company’s ability to maintain operations. Never assume that you will be covered for losses as a result of third-party disruptions.
• Get your own house in order by ensuring that Physical, Internal and Operational security controls are in place to secure data that may be accessed by external vendors. Access controls and escort procedures are a good place to start. Also, don’t forget about educating employees on the concerns of working with partner companies – it may be a joint venture in one field, but competition in another (don’t let either one bleed over).
The down-side to this process is that it requires much more planning and evaluation before outsourcing key functions, and it must be actively monitored and re-evaluated over time. There is an up-side though – it will reduce the level of risk a company is exposed to, and could help prevent future incidents (or at least minimize the effect an incident would have). This has the added benefit of minimizing loss if an incident does occur, which could keep the cost of cyber insurance to a minimum as well.
Don’t Let Outsourcing be a Cyber Risk
Outsourcing – everyone does it and it’s a great way to keep expenses low, productivity high and improve customer service. Not everyone has performed the necessary due diligence and truly understands their risks. We need to know who we trust with our networks and our data, and understand how they are going to treat such vital resources. Besides, if we can’t trust that our data is safe and our network is secure, then how can we afford to outsource these services?
