Are Outsourced Operations Ever Secure Enough?

Accessing the Internet in India can be a major problem, discovered Akiba Stern, a partner with New York-based Morgan, Lewis & Bockius, on a recent visit to an outsourcing service provider's facilities there. It wasn't that the firm's connectivity services were poor. Rather, its security processes were so tight that there was only one room in the building that permitted access to the Internet -- and even that access was fairly constrained, the outsourcing specialist told CRM Buyer.

From that point, it steadily got worse -- or better, from a security perspective. Stern and executives from the client firm wanted a room that had full Internet access for their meeting with the service provider. "That practically took an Act of God to accomplish," he said, with the CEO having to get permission from the chief of security to open access to an Internet-ready room.

Overseas outsourced service providers can be maniacal about security, as Stern's experience illustrates. "It is in their best interests," he says. "The last thing a big name service provider needs is a well publicized security breach at their facility."

That said, firms should still be vigilant about the security of their data, physical buildings and employees when looking to outsource operations overseas. For starters, not all overseas facilities employ security measures as stringent as the firm Stern visited. Also, differing legal regimes and enforcement standards can be a problem as well.

Following the Standard

For these reasons, firms that outsource sensitive business processes should look for a provider that has met certain certifications, advises London-based Suvradeep Bhattacharjee, principal analyst at the business process outsourcing consultancy NelsonHall and the person responsible for its customer management services program.

"Legislation and regulations are different, of course, around the world," he tells CRM Buyer. "That is why it is best to look for a facility that conforms to international security standards." One standard for dealing with information security threats is ISO 27001:2005. Best known for its manufacturing certifications, ISO (International Standardization Organization) sets standards for numerous business processes, from transportation and quality controls to safety.

Many Indian facilities have ISO certification, Bhattacharjee says, which accounts in part for the growing number of financial institutions -- especially British banks -- that have located back-office operations there. "In general, you see certain breaches every now and then -- but they make headlines because they are so rare."

Supplementing the Standard

Luxoft, a Russian-based software developer and global provider of IT outsourcing services that has operations in the U.S., UK, Ukraine and Russia, received certification to this standard in April -- the first company in Russia and Eastern Europe, and the first offshore software development company in the CIS (Commonwealth of Independent States) to do so, according to the firm.

However, Luxoft -- which boasts a state-of-the-art physical security infrastructure including alarms, motion detectors and patrolling guards, as well as a zero penetration rate of Internet malware -- has found that client requirements can be even more demanding.

"Client awareness of security issues is very high," Moscow-based Ivan Gavriluk, chief security officer for Luxoft, tells CRM Buyer. "Not only do they expect their service providers to meet international standards -- but usually the largest firms have their own additional standards that we must meet as well."

Most of the clients' major concerns center around data protection and IP protection, he says. As an example, Gavriluk describes Deutsche Bank's requirements in this area. They can be summed up in one word: "segregation" -- segregation of everything from employees who work on the Deutsche Bank processes to data storage.

"Deutsche Bank has dedicated channels on which they perform their data exchanges to other offices. They have a physically separate center with card readers accessible only to people who work for Deutsche Bank."

Other security features include a completely separate local area network, separate data backup, separate storage, and a policy requiring administrative staff to sign nondisclosure agreements with Deutsche Bank.

The bank's disaster recovery criteria are also stringent, Gavriluk notes, allowing just a few hours for the process. Indeed, it has become a de facto best practice for firms most concerned about security to design their own processes to supplement the ones that the provider already has in place.

Asking the Right Questions

A few years ago, one major Wall Street investment bank's decision to begin offshoring its back-office operations was met with considerable angst within the institution.

"Up until then, the company had no history of offshoring," said Peter Nag, now managing director of Manhattan-based consulting firm Opera Solutions, who managed the bank's offshore operations at the time. "It was a huge cultural challenge," he tells CRM Buyer.

The company sent senior management to the offshore locale to oversee operations. "It wanted its own eyes and ears there -- not just security cameras, which it also had," Nag remembers.

The financial firms and other companies that Nag advises today have the same fears over outsourcing operations. Many of them do not fully understand how much is involved in the process of establishing or replicating stateside security processes overseas.

"There are so many issues to address," he says, listing just a few: "Should there be a server farm in India or not? Should you use full connectivity for access? What level of business continuity planning should you have -- double or triple backup plans? What about site outages? Should you have dual backup sites? How strong is the intrusion detection system? What about the disaster recovery capabilities?"

Seeking Assistance

Despite the knowledge store that has developed over the last several years, firms continue to make mistakes when outsourcing processes, Nag says. One is not developing in-house expertise. "You want to bring in people -- either through hires or as consultants or a combination of both -- who know how to do this right from the beginning. Early mistakes can be very costly."

Another source of assistance that too many firms overlook is the service provider itself, he says. "Always collaborate with the service provider and the industry network in the country [in which you're operating]."

It is best to get the service provider onboard, as it is likely to be the client's first line of defense when dealing with local enforcement, Stern agrees.

"In a lot of countries the laws aren't robust, and even where they are, enforcement may not be very good. One thing you have to recognize, he says, is that even if you do have certain legal rights -- as a foreign actor in a new locale, it can be difficult if you don't know how things get done down there."

He advises firms to build incentives into their contract that encourage the service provider to take the lead.

For instance, some countries have established limits on the amount of liability recoverable in court. "This is an area that you want to carve out in your contract so the supplier will make you whole for monetary damages," Stern says. Other clauses he recommends includes spelling out the steps a service provider would follow if a breach were to occur. Also, it wouldn't hurt to get permission to do spot audits and penetration tests of the supplier's system, he adds.

The supplier usually understands the client's concerns, Stern points out. "I have found the supplier community takes these concerns very seriously."