Rise of outsourcing poses new cybersecurity problems

Nov 10, 2011 By Steve Alexander

Big banks, hospitals and insurance companies worry about computer security because they handle so much personal information.

Now, in the age of outsourcing, they also have to worry about whether their partner firms are secure. And that's created a new kind of business consultant: The information security auditor who determines how much security is enough.

Some of these auditors work for big companies. When Evan Francen did security audits for Wells Fargo bank, he asked the outsourcing companies to complete a 1,500-question security checklist. (Wells Fargo officials declined to comment.)

Now Francen has his own security firm, FRSecure of Chaska, Minn., that helps outsourcing firms meet the demands of security auditors like him. And some of them really need the help.

"We audited a small bank that was compliant with computer security regulations, but we could have put them out of business in five minutes because of the physical risk," Francen said. "Their computer server room had no , no records of who came or went, no locked doors, nobody there at night, and it was in a separate building."

Such insecurity represents a business opportunity for the likes of FRSecure.

"We're in the Wild West period of security compliance," said Kevin Orth, FRSecure's vice president of operations. "There are no security standards that are widely accepted."

The opportunities in security auditing also have drawn the consulting arms of big accounting firms such as the accounting firm Deloitte.

"Every time there's another computer , these security audit programs get ramped up quite a bit," said Matt Marsh, a partner in enterprise risk services at the Minneapolis office of Deloitte. "Because if there's a breach there can be costs, loss of reputation and loss of business."

Driving the latest corporate fear about computer security is a confluence of events. Computer security breaches, such as the massive e-mail leak this year at corporate outsourcer Epsilon, have become common. Cloud computing, which saves companies money by letting them use remote data centers when needed, poses new security risks about which little is known. And big companies are under more regulatory and legal scrutiny.

"All of those factors are converging, and are putting a lot more pressure on banks and other big companies," said Avivah Litan, an analyst for Connecticut research firm Gartner Inc. "Security audits have definitely taken a big upward tick."

For IT consultants, this is a boon. "Performing security audits is now a specialty within information technology consulting," said Isaac Cheifetz, an IT recruiter with Open Technologies Consulting Co. in Minneapolis. Security "is no longer simply about making sure the network firewall is up."

Added Marsh, "That whole space of security and privacy is a growth area for us."

That can drive consulting prices upward.

"We see many IT consultants trying to dabble in information security, and they set their prices at what their clients are used to paying," Orth said. "We make more, but we're specialists. So there's no such thing as standard pricing."

These days, consultants are called in when outsourcers find it difficult to meet confusing and sometimes excessive security demands of big companies for which they handle data.

"A lot of these security rules were written by non-IT people, and they aren't specific enough to give IT professionals a clear idea of how to set up security - and there are a lot of different ways to do it," said Aric Bandy, CEO of Agosto Inc., a Minneapolis IT outsourcing company that does work for Goodwill Industries, the Minnesota Wild professional hockey team and Dunn Bros. Coffee.

"One client wanted us to ensure we had control of who was physically able to access a computer server in our data center," Bandy said. "We already had card access to the data center, personal identification numbers for data access and a guard. But that wasn't enough: They wanted a camera focused on that server, and we had to do that."

Some outsourcers try to spare themselves that kind of anguish by launching a pre-emptive strike: They hire a company such as FRSecure to do a security assessment and develop a security plan that may help ward off some of the more unnecessary security demands of big clients.

"We'll do a security assessment so the vendor can push back on the security demands of the big company," Orth said. For example, if data encryption is too expensive, an outsourcer should develop a less-expensive alternative, such as surveillance cameras or documented procedures to destroy old disk drives, he said.

That strategy worked for FRSecure customer Action Inc., a Plymouth, Minn., direct-mail company that works with banks, health care institutions, insurance companies and schools.

"The first time you get audited for security, it can be a bit onerous," said Tony Zirnhelt, Action president. "But now we've taken a proactive approach to data security, such as employee training, cameras, data access control, even hiring someone to try to break in through our . We now use our data security in our pitch to prospective clients."

That may be the most practical solution at a time when data is so ill defined, said consultant Marsh.

"You could encrypt and secure everything to the nth degree, but that would cost a lot of money," Marsh said. "So there's a balance, and each institution has to figure out what that balance is."

Explore further: Twitter blocks two accounts on its Turkish network

5 /5 (1 vote)
add to favorites email to friend print save as pdf

Related Stories

Wake-up call to business: Tighten up on information security

Jun 30, 2008

According to the Department of Trade and Industry there are 4.5 million businesses in the UK of which 99.3% are small to medium sized enterprises (SMEs), employing 0-49 employees. These comprise 58.9% of the total workforce ...

Fixing the Cyber Security Problem

Sep 01, 2009

(PhysOrg.com) -- Our flawed approach to cyber security needs a dramatic overhaul -- and courts should lead the way to reform, argues Edward Imwinkelried, a professor of law at the University of California, Davis, and one ...

Recommended for you

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

Apr 18, 2014

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

Apr 18, 2014

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites. It also clarifies that ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

ArtflDgr
not rated yet Nov 10, 2011
oops... i guess its just one more problem the central planners and social engineers didn't think of before they decided to all get on a bandwagon and through haste and a desire to get nowhere faster, turn what is a good thing into a bad thing. like drinking a weeks water in a day, or a days in a minute...
wirtaw
not rated yet Nov 12, 2011
...more job for IT specialists, bigger salaries

More news stories

Making graphene in your kitchen

Graphene has been touted as a wonder material—the world's thinnest substance, but super-strong. Now scientists say it is so easy to make you could produce some in your kitchen.

Low tolerance for pain? The reason may be in your genes

Researchers may have identified key genes linked to why some people have a higher tolerance for pain than others, according to a study released today that will be presented at the American Academy of Neurology's 66th Annual ...

How to keep your fitness goals on track

(HealthDay)—The New Year's resolutions many made to get fit have stalled by now. And one expert thinks that's because many people set their goals too high.

Less-schooled whites lose longevity, study finds

Barbara Gentry slowly shifts her heavy frame out of a chair and uses a walker to move the dozen feet to a chair not far from the pool table at the Buford Senior Center. Her hair is white and a cough sometimes interrupts her ...