Over-worked, over-budget and overwhelmed — such conditions plague most modern enterprises in today’s fast-paced, rapidly evolving IT environment. No wonder many businesses turn to outside help to manage their IT needs. Whether looking to cut costs, boost revenues or enhance customer service and satisfaction, more firms than ever have turned to outsourcing all or a portion of their IT operations. Whatever the reason for hiring a third-party vendor, CIO’s cannot afford to take such a decision lightly. Even after identifying your needs, conducting due diligence and carefully selecting a “reputable” vendor, there are risks involved when turning over access to your valuable IT assets and data.
WiPro — A Cautionary Tale of IT Outsourcing
Indian IT outsourcing and consulting giant Wipro recently made headlines in the technology press for all the wrong reasons. The company, which provides IT services to an array of international entities, from Fortune 500 corporations to government organizations (including the State of Nebraska), was hacked via a phishing campaign targeting WiPro employees. After the attackers gained access to more than 100 WiPro computer systems through dozens of employee accounts, they were able to install remote access tools on the compromised systems. This is when the real damage began.
After gaining control of WiPro’s computers, the intruders were able to access the networks of several of the consulting company’s customers. Investigators still do not know the exact extent of the attack — WiPro has been tight-lipped regarding details of the breach. It is worth noting that regulations in India do not mandate the same level of transparency required of European and North American companies. Though investigators initially believed that the attackers were state-sponsored, Forbes has since reported that the perpetrators were most likely a sophisticated group of criminals carrying out gift card fraud.
“The actors are targeting large companies utilizing pen-testing tools and are armed with a strong understanding of corporate relationships and environments,” Jason Reaves, a threat researcher with Flashpoint, told Forbes. “It is highly likely there have been breaches in previous years that have gone unattributed to these threat actors.”
The breach is just one more chapter in what has been a tough year for WiPro, the third-largest IT outsourcing company in a country that has become the hub affordable offshore IT services. The company employs 170,000 individuals and has clients across six continents, including major players in healthcare, banking and communications — all industries handling highly sensitive personal data. In March, the State of Nebraska cancelled its contract with the company after earlier issuing a cease and desist order for WiPro to halt an upgrade to the state’s Department of Health and Human Services Medicaid enrollment system.
How to Minimize Risk When Outsourcing IT
In spite of the risk involved in outsourcing IT services to a third party, the benefits can be too enticing to pass up. Companies today commonly turn over any of the following responsibilities to a third party vendor:
- Application development and maintenance
- IT support and help desk
- Data center operations
- Cloud-based services and solutions
Popular it may be, but outsourcing has become riskier than ever. This is especially true if a company handles confidential personal data, such as legal, financial or medical records. The proliferation of outsourcing services means that data is not only being handled by the third-party consultant one hires, but also by fourth and fifth parties working through that company.
“If, at any time, that third party chooses to subcontract a portion or even the entire process that it was assigned to perform, and the organization that’s using that third party is unaware of this relationship, the organization may be exposed,” Daniel Williams, a senior manager with Deloitte Financial Advisory Services, recently told the Wall Street Journal. “The client may not know that an arrangement with a fourth party has been made, who that fourth party is, or how they are qualified to perform this service. Essentially, they don’t even know what risks may exist.”
Not all of the risks associated with outsourcing relate to security concerns. The Journal recently outlined four areas of potential risk and recommended tactics to avoid or minimize them.
Operations and Transactions: Operations and transactions refer to processes carried out between businesses and their customers, such as processing orders for merchandise or a loan for a bank customer. If something goes wrong, the customer may not receive the items they purchased or their loan may not be processed in a timely manner. In these situations, it is important that the outsourcing partner understand the process completely to identify where potential breakdowns can occur.
“It is important to be strategic and focus on the risks that are most likely to occur considering the impact to the organization, its customers, and stakeholders should a risk be realized,” says Williams.
Confidential Information: This is a big one, particularly when taking into account recent regulatory measures in Europe and North America designed to protect confidential data and enforce accountability for those who handle it. The European Union’s General Data Protection Regulation (GDPR) implements hefty fines for enterprises that mishandle their customer’s personal data. CIOs and managers should know how much and what type of data third party consultants will handle when considering outsourcing. Large volumes of highly sensitive data passing outside your control could be a recipe for disaster, both for your customers and the financial well-being of your company. CIOs can take proactive steps in evaluating the security and data controls of anyone handling their company’s confidential data. Experts recommend direct visits to your IT consultant’s facilities to get a first-hand look at their security and data protection controls. Companies can also request the results of a service provider’s SSAE16/SOC audit, which provides an external report on their security and data protection performance.
Business Continuity: Smart businesses plan ahead for disasters, preparing for that day they hope never comes when natural or human factors can disrupt day-to-day operations. When you outsource IT operations to a third party, you now have to worry about that party’s business continuity plan as well as your own. Is your service provider located in a region prone to natural disasters, political instability or and unreliable power grid? The vendor may claim they have these concerns mitigated, but experts suggest simulating a disaster with your vendor to see how quickly they are able to bring backup systems online. In addition to working with your vendor, it is a good idea to formulate your own worst-case plan in the event that your vendor unexpectedly goes out of business or ceases operations due to major disaster.
Compliance: We have already mentioned the regulatory pitfalls of allowing third party vendors to handle your customer’s sensitive personal data. In addition to GDPR, other similar measures bear consideration when choosing to outsource all or part of your IT operations. Institutions handling medical information must comply with the Health Insurance Portability and Accountability Act (HIPAA) while financial institutions receive guidance from the Financial Industry Regulatory Authority (FINRA). Contracting with an IT service provider does not absolve an institution of its regulatory obligations.
“You can’t use the excuse, ‘It wasn’t me. It was our supplier,’” Williams said. “That doesn’t fly. Regulators hold businesses accountable for performing the appropriate due diligence before they outsource, to confirm that third-party service providers have the right people, processes and technology in place to effectively support a function.”
Along with these four risk areas, CIO’s should consider other factors when planning to outsource IT operations, particularly when considering an offshore vendor. For example, in what time zone is the vendor located. While some service providers say they offer 24-hour coverage, are all of their assets going to be available when you need them? Does the local legal or regulatory climate protect you as a customer? As the WiPro case demonstrates, local laws in a vendor’s country of operation may not provide to same degree of transparency required domestically.
As a U.S.-based managed service provider, Valeo Networks takes the risk and worry out of the outsourcing equation. We offer 24/7/365 coverage for a comprehensive range of IT services, from help desk operations and infrastructure upgrades to data management and cloud migrations. Our solutions ensure business continuity and compliance across a complex and evolving array of regulations governing legal, healthcare, financial and pubic organizations. Contact us to learn more about how Valeo Networks can help your enterprise achieve its IT goals.
Download your free Cybersecurity White Paper Now!