< ? php //If there is analytic campaign data, attempt to get the campaign_guid from that cookie if ( 1 === preg_match( '/pk10mkto-([0-9]+)/', $_COOKIE[ '__utmz' ], $match ) ) { $campaign_guid = $match[ 1 ]; } ?>

The Benefits of IT Outsourcing With Low Risk

January 10, 2014

The blogosphere is full of posts touting the many reasons to outsource at least some of your company’s information technology (IT) infrastructure. It’s becoming equally proliferated with articles warning about the risks in doing so, driven by a number of recent high-profile breaches that occurred as a result of security lapses by third-party service providers.

Case in point: a recent blog post by Peak 10 technology partner Cisco focused on the unfortunate incident that took place with the OpenSSL Project.

The organization’s website, which provides a widely used SSL/TLS implementation, was breached and defaced on December 29, 2013. Of particular concern was the fact that the website was compromised through the virtualization infrastructure of its hosting provider. The breach was reportedly caused by the use of insecure passwords by the provider, allowing the attacker to make unauthorized changes to the project’s web server.

It was not an isolated incident. According to the 2013 Trustwave Global Security Report on 450 global data breach investigations, 63 percent were linked to a third-party component of IT system administration ─ vendors responsible for IT system support, development or maintenance had introduced security deficiencies easily exploited by hackers.

So what can you do to capitalize on the benefits of IT outsourcing while minimizing the associated risks?

  1. Pick Your Vendor Wisely.
    • Start with the vendor selection process.  Involve those responsible for IT security within your company in the procurement process, particularly in terms of defining what requests for proposals look like to ensure security elements are included in the evaluation process. They should also be called upon to validate vendor responses to security questions to help ensure that there is not too much trust extended with respect to how a vendor is going to deal with data security.
  2. Seek Third-party Verification.
    • Make sure potential service providers understand and are prepared to handle the security requirements unique to your business and the industry you work in, particularly in terms of regulatory requirements and compliance issues.  Look for third-party verification that these service providers are both trustworthy and knowledgeable about security measures.

      For example, if your company deals with credit card information, all service providers should be asked to provide assurance of PCI DSS compliance from a Qualified Security Assessor (QSA).  Don’t just take their word that they are PCI compliant. The Trustwave study revealed that while many of the businesses hit by payment-card hackers claimed to be PCI compliant, there were often security gaps. Third-party vendor remote-access applications and VPNs used for systems maintenance were often the way attackers got in by stealing the simple, reusable passwords in use.
  3. Apply Risk Management Processes.
    • Assess vendor IT security risks and put appropriate controls in place.  Make sure to:
    • Conduct due diligence of all third-party supplier’s data security controls. Ask your suppliers what security mechanisms they have in place and how often they are tested and updated.  Do they also have a tested remediation plan?  Do you?
    • Formally document security requirements for vendors in contracts and service level agreements (SLAs). Include provisions for any required remediation.
    • Know who has access to your data at the vendor’s operations and find out what vetting procedures are in place.
    • Consider the level of access that third parties are granted to your data and systems. Can it be reduced and can monitoring be put in place?
    • Agree to and document formal requirements for reporting of security breaches.
    • Continue to make security controls within your own organization a priority, and ensure that in-house systems are resistant to attack.

Strong vendor relationships entail trust, respect and communication.  But when it comes to outsourcing some or all of your company’s IT assets, documented, tested and validated security protocols must be part of the equation.

Contributed by our partner – Cisco

Fine tune your content search

About Peak 10

"Our values are the foundation for everything we do at Peak 10, and are ultimately what enable us to earn our customers' business and their trust."
David H. Jones,
Board Member, Peak 10 + ViaWest