IT Outsourcing: Information Security is a Process, Not a Destination

In recent years, the IT outsourcing market has shown stable growth. According to Gartner, the size of the global IT outsourcing market will reach 252 billion U.S. dollars in 2012, which is 2.1% more than in 2011. Yet some companies still hesitate when deciding whether they should outsource a number of selected tasks to a third party. Mostly, this hesitation is tied to the risks that—according to some market participants—are an inherent part of the outsourcing industry.

In particular, outsourcing often involves risks associated with the disclosure of confidential information. It is well known that the master of the information is the master of the situation. In business, it is difficult to overestimate the importance of information, including information about customers, trade secrets, expertise, personal data of employees and/or customers, and more. Information is one of the key assets of every company; it is not surprising that many executives are concerned that their information could fall into the hands of competitors, be used improperly, or simply be lost.

Information leakage results in lost funds, damaged reputations, and eventually the hard way earned market position. Let’s just think of all the numerous patent lawsuits involving big IT market players. In this context, the cautiousness of many companies who are considering outsourcing is understandable. Are they right to be worried?

Statistics show that in most cases, the leakage and loss of information is the fault of company employees. Causes include, but are not limited to, inefficient information security arrangements, human recklessness, and the pursuit of self-interests (i.e., the desire to sell information for profit). Some cases have become the subject of numerous discussions (i.e., regarding whether the loss of information was a unique marketing ploy), but serious companies do not enter into such ventures readily.

In this context, the results of the study conducted by PricewaterhouseCoopers (PwC) in 2012 are quite representative. Of the large organizations that participated in the survey, 82% said that the security breaches they had to deal with were caused by the actions of their employees. In 47% of cases, security breaches resulted in data leakage or loss. The main problem here was not the lack of security policies in the companies or the use of third-party providers’ services; it all came down to the fact that the employees did not understand the consequences of their actions.

Today, data protection is important for all companies regardless of whether they hire third-party service providers to perform tasks that require access to the information. Primarily, it is associated with the expansion of the business infrastructure using cloud, mobile technologies, big data, etc. This increases the number of possible threats and the need for up-to-date and more effective security measures.

Thus, every company has the right to expect that the outsourcing provider will provide the clients with a level of data protection and security that is, at the very least, equivalent to the level employed by the customer himself.

As a rule, this is exactly what happens. We should not forget that the success of every outsourcing company depends 100% on its reputation and the trust of clients. No outsourcer wants to risk their professional reputation, so providers are fully committed to compliance with all information-security requirements with the aim of preventing data leakage caused by employees.

For instance, when clients outsource software development and/or testing to Auriga, they can be sure that the following security measures will be applied:

  • Auriga’s IT infrastructure is regularly scanned to detect and eliminate threats and vulnerabilities;
  • Auriga uses up-to-date security measures, such as anti-virus systems, firewalls, systems for the prevention and detection of intrusions/attacks, logging systems, etc.;
  • The IT Department journals and audits traffic
  • Only secured protocols are used for all internal and external connections (SSH, HTTPS, SFTP);
  • Complex backup system;
  • Disaster recovery;
  • There are a number of enforced information-security policies and rules, including, but not limited to, confidential data-storing rules, rules for data exchange with customers, Internet-usage rules, etc.;
  • All employees sign an NDA;
  • All employees are briefed and complete information-security training sessions;
  • All resources are protected by access rules, so only authorized individuals have access to client information;
  • Physical security provision: security badges (for employees to access the premises), visitor journaling, video control system with motion-detection recording for area access and critical rooms.

Based on the client’s request, in some cases, our engineers can work on-site while the rest of the team works on the client’s project(s) in Auriga’s offices. For example, this model is used by one of our largest clients, the global leader in its segment. Some of the projects are carried out at the customer’s premises, while a number of tasks are worked on directly at Auriga, as the client is aware that our company employs the most up-to-date and reliable information security measures.

Within the frames of specific projects, Auriga’s engineers (with the assistance of the IT Department) employ data-protection tools such as dedicated resources: servers, products, hardware, and dedicated real and virtual IP address pools for specific projects. In addition, dedicated LAN segments for workstations/servers can be arranged with access only provided to the team and the client. Team servers are deployed in secured and UPS-protected server rooms with limited physical access.

Upon the client’s request, additional means of data security and protection can be arranged.

Moreover, Auriga constantly improves the processes related to the protection of data and information, which allows us to provide a very high level of data safety and protection in strict accordance with existing industry standards. According to Auriga’s IT Department Director Dmitry Ivanov,

Information security is a process, not a destination. Today, no company can afford to tread water when they think about data security. It is necessary to move forward, be aware of recent developments in this area, and use the most up-to-date tools to protect information.