by: Sarah Joson
Friday, February 22, 2013 | Outsourcing News |
Last year, 63 percent of IT system cases were caused by external service providers that lack security integrity. This is according to the 2013 Global Security Report which involved 450 global data breach investigations. The report was released by security firm Trustwave and analyzed by Warwick Ashford of ComputerWeekly.com.
According to Trustwave European Director John Yeo, companies often overlook security concerns and common data security risks as they are more fixated on cost savings when it comes to making outsourcing decisions.
Moreover, most of the buyers’ internal IT security teams are commonly not involved in the selection and deliberation process, when in fact it is crucial for them to be present during those times.
Yeo pointed out that during the evaluation process of the providers, service level agreements, along with costs, often derail decision-makers from considering details about security. He added that it should even be included in the requests for proposals.
From another aspect, if the internal security team is already involved in the IT outsourcing process, most of the time, they fail to double-check the aptitudes and strengths of the providers.
Yeo suggested that after asking the service provider about security, they should at least validate their answers.
In another report done by Trustwave last January, annual reports of FTSE 100 companies were rounded up, where it was found that half of the respondents identified cyber risks and data loss issues as principal risks.
Some larger companies were also seen to have enough knowledge and concern about cyber risks at the executive level but don’t reach the managers and the people who handle the outsourcing processes.
The report also found that some outsource their security processes because they do not know how to set up and operate such processes internally. Once the process is transferred to the provider, it is disregarded since it is not well thought-out or priced during the initial discussions, or they themselves do not know the new forms of attacks.
Furthermore, the report reiterated that buyers should ask for PCI DSS (payment card industry data security standard) compliance from a Qualified Security Assessor (QSA).
Businesses are also advised to incessantly check the progress of their providers and make sure that all systems are up-to-date.