Whether you're hiring a third-party for desktop support, security testing or network monitoring, the more eyes and hands you have on your electronic assets the greater the risk of something bad happening. The potential for loss increases given the seemingly endless amount of data stored on so many different computers. While most IT consultants are trustworthy and responsible, some aren't. Seemingly not so bad people are doing bad things on computers all the time – and often the company who hired them doesn't even realize it.
Currently, I'm one of the IT "outsourcees," so naturally it may seem that I'd say, "Outsourcing is great – there are no risks – jump on the bandwagon!" Well, not necessarily. I've been on both sides of the table with this issue. It's definitely not easy giving up control or handing over sensitive information to complete strangers. On one hand, it's nice to be able to do everything IT related in-house. You control access and you control how and when things get done. On the other hand, any smart businessperson knows it's practically impossible for one department or person to do everything and do it well.
Think like a thief
Before you give up the IT reigns, there are a few things to consider. IT-related issues should be viewed from a hacker's perspective. This means considering what can happen if your confidential information gets into the wrong hands. Do you have digital assets worthy of abuse? What negative consequences would occur if they were abused? Is your job going to be on the line if your company makes the headlines?
Who has access?
Most outsourced IT services require someone somewhere to have full access to a portion, if not all, of your digital goods. For instance, desktop support professionals will likely need administrative rights to your workstations. This likely translates into full access to corporate data stored on local drives and, potentially, network shares. Consider what an IT auditor or security consultant may gather during the days, weeks or months onsite perusing your systems. It's limitless and it only takes one miscreant to cause a lot of damage.
It's one thing to understand that outsourced IT service providers have access to corporate data, but it's quite another to know what they're actually doing with that data. Are they storing the data on their servers, laptops, CDs or USB drives? Are they printing hard copies? The answer is likely yes for both. Clients should expect to turn at least some of their information over and need to be informed of why it's needed and how it's going to be used.
You also have to consider how they're protecting this information -- if at all. What are they doing with your information? Are they sharing it with colleagues or competitors? Keeping it to sell on eBay in a few years? Even if the people you're outsourcing your IT services to are bound by contract to protect your information, they may not have your best interests in mind, or they may be just plain sloppy. Consider what a person has to lose if he ends up leaving the company or getting out of the IT business altogether. Probably not much. The probability of sales data, source code or patient information being used for ill-gotten gains is pretty low, but it can happen.
Keep it confidential
Call me a pessimist, but I've seen too many digital goods mishandled by careless IT experts with a general disregard for other people's property. The root of a lot of this -- which continues to amaze me -- is when organizations outsource IT support, but never consider the basics such as running background checks and examining references on the people they're placing trust in. Confidentiality agreements are being used more and more, but arguably not enough.
Strong contracts and clean criminal records are not a perfect indicator of safe and sound IT services, so don't rely solely on them. It's also unrealistic to attempt to completely control where your sensitive data is housed and what a third-party does with it. Whether you're for or against outsourcing IT services, you'll have to do it eventually. Do your best to find good people to do business with – preferably through referrals – and trust your instincts.
Employee enlistment Don't stop there though. It's not a matter of just having the proper security controls and paperwork in place to take the risk out of outsourcing IT services. It's just as important to have watchful employees who can tell when something's not right and management that's willing to listen, support their employees and create an overall sense of security vigilance in the organization.
So, to answer the question, is outsourcing IT services worth the security risk? That depends on your organization. While I do believe it's worth the risk, it's not a decision that should be made lightly. If your company does decide to outsource, proceed with caution.
About the author
Kevin Beaver is founder and principal consultant of Atlanta-based Principle Logic, LLC where he specializes in information security assessments for those who take security seriously and incident response for those who don't. He is author of the book Hacking For Dummies and co-author of the upcoming book Hacking Wireless For Dummies, both by Wiley Publishing. Kevin can be reached at firstname.lastname@example.org.
This was first published in February 2005