IT cost reduction opportunities presented by offshore resources have motivated US and other corporations to undertake software development and administration projects in foreign countries. In many cases, IT personnel involved in these projects must have access to corporate data to effectively design, develop, test, maintain and administer the software. IT departments willingly give remote access or ship some or even all of the data to these remote IT locations to enable the remote work. This data is wide ranging and often includes confidential information about an organization’s commercial and retail customers.
Once this data leaves the US, the security structure of computer systems, processes, personnel, organizations, facilities, law, law enforcement and political backdrop changes, potentially with unexpected results. This, in turn, may increase the risks and associated consequences of data security breaches for both corporations and their customers, both commercial and consumer. Ventana Research recommends that risk assessments by a joint committee that has legal, technical and business understanding be performed for any offshoring activity where remote access or remote delivery of confidential corporate information exists.
Surveys of US consumers show that they have deep concern about their privacy and personal information security. Anecdotes abound of the cost of identity theft to innocent consumers with dramatic losses of time, credit worthiness, money and other secondary things such as sleep, relationships, etc., described. The Internet has the ability to span the world and deliver data in seconds to any location. In this environment, consumers often can only conduct after-the-fact damage control in the face of determined fraudulent attacks. While much attention has been paid to the Web as an open field upon which consumers and criminals operate virtually shoulder-to-shoulder, another area of risk exists within the business community.
The availability of trained IT professionals in foreign countries with significantly lower compensation requirements has accelerated outsourced, offshore IT activities in the last few years. The recent US economic recession, increased business competition, perceived past IT failures/inefficiencies and higher IT costs relative to other organizational areas have motivated organizations to consider and use these offshore resources for a range of IT projects including software development, testing, maintenance and administration. Generally these activities require local or remote access to the data upon which these applications will operate. This access provides offshore IT personnel with the information necessary to do their jobs. Access can be either remote over the Internet or local to copies of data shipped to the offshore IT site.
Research into various leading public companies has uncovered anecdotal cases whereby remote data access and remote data replication of sensitive data warehouse information is done. In some cases, those IT representatives interviewed claimed the data was encrypted. In other cases, the data was not encrypted. In all cases, a certain amount of trust concerning security between a corporation and its offshore IT development partner was required for a successful relationship.
Organizations intent on utilizing these resources need to carefully evaluate the security and associated risk management plans and operations necessary to mitigate any additional data security risk, especially to their customers. Not doing so places unfair and likely unexpected risk on the organization’s customers. All aspects of the offshore IT site must be considered including the security of computer systems, data development and management processes, management, development and administrative personnel, organization, facilities, international law, local law enforcement and political backdrop.
The guidance from Ventana Research on this topic is: (1) Organizations must take steps to assure that data security in offshore locations presents no greater risk than that of on-shore, in-country locations, and (2) customers of organizations that actively ship customer data offshore should know the whereabouts of their personal information and the associated risks.
Assuring secure offshore access of confidential information is not just a technical challenge. It is also a legal and business challenge because information is more than likely mission critical to the corporation from which it comes. Organizations should recognize that US laws on data privacy (i.e. HIPAA) are not necessarily supported by other countries’ governments.
Eric Rogge is VP & Research Director - Business Intelligence & Performance Management at Ventana Research.
Ventana Research is the preeminent research and advisory services firm helping our clients maximize stakeholder value with Performance Management throughout their organizations. Putting research in a business and IT context we provide insight and education on the best practices, methodologies and technologies that enable our clients to leverage assets to understand, optimize, and align strategies and processes to meet their goals and objectives.