|
Just how seriously does staff in outsourced divisions of companies take data security? And what happens if a freelancer working for the outsourced partner gets the clever idea of leaking critical company data to the competition? Inside company offices, data security can be maintained with bullet-proof access control: anyone who is not supposed to have access to confidential data is kept out. However, when parts of the company are being outsourced, the possible security risks take a back seat at many enterprises and only come to the forefront again when the contract with the outsourced services is already a done deal.
Be on the safe side: deploy both organizational and technical protection
The subject of data security for both organizational and technical protection needs to be on the agenda right at the start of outsourcing negotiations. Organizational protection provides a contractual definition of how sensitive data are to be handled and what penalties are to be expected in the event of damage or breaches of confidence. Furthermore, critical information such as financial data should often not even get outsourced in the first place. Using professional encryption software ensures technical protection, which lets a company retain control over the encryption key – and therefore also over the content and use of its data. Prevention makes sense for both the outsourcing company and the service provider: if critical data should ever leak out, you can use the auditing-login to ascertain the last person to process the data and whether certain people ever had access to it.
When it comes to data security, India is behind the times
You have probably heard horror stories about data security breaches – the majority of them from the outsourcing mecca India. While the market researchers from India’s National Association of Software and Service Companies expect growth of 27 to 30 percent in 2007, resulting in revenues of $29 to $31 billion, the subjects of security and data protection are unknown concepts for many Indian IT companies. The recently published international study “The Global State of Information Security” found that every fifth company in India has already been the victim of fraud or theft of intellectual property. Scenarios like this make it clear that you should think very carefully before signing an agreement with an outsourcing provider!
When planning, keep security issues on the agenda
In Europe, too, the data security aspects of outsourcing business or IT processes have encountered problems. For example, in Britain, Scotland Yard had to admit as recently as November 2006 that it had lost three laptops with salary data on them when using a service provider. In mid-2006 in Austria, a journalist bought a formatted and discarded hard drive on the Internet that had belonged to the Ministry of Technology, and confidential financial data on it were able to be reconstructed!
In theory at least, many outsourcing projects start with the specification that only “non-business-critical” data may be outsourced. In practice, though, it tends to happen that each department rates its own documents as important and worthy of protection. Almost all data can be used to the detriment of the organization or lead to serious financial damage if it gets into the wrong hands. With many outsourcing projects, though, security aspects get ignored due to the pressure to keep costs down. High availability, redundancy, cost efficiency, the power supply, and other subjects tend to be the focus of discussion. Fortunately, effective encryption software can halt the spiral of fears and concerns right at the start of outsourcing planning. Your company retains complete control from the very beginning and can decide who is allowed to see what.
What needs to be taken into consideration when selecting encryption software? The cryptography must be secure and should be based on recognized, tried-and-tested hard-encryption algorithms such as AES, the most common algorithm at the present time. In addition, there should be no known attacks on the algorithm, and the key lengths should be large enough that data cannot be viewed by means of brute force attacks. Keys must have a minimum length of over 100 bits, and thanks to its 256-bit key length, AES will be able to offer adequate security for a long time. If possible, your encryption solution should work with certificate-based authentication or, better still, with smartcards or comparably secure USB tokens. When using password-based authentication, you need to make sure that the software prevents attacks such as dictionary attacks.
|
