Security Manager's Journal: Security is late to the offshore party
I've just become aware of a major vulnerability that my company's top executives exposed us to -- and of course I didn't learn about it directly.
At issue: News about an offshore contract arrives after the fact, and there's no real money for making sure shared data is secure.
Action plan: Get up to speed fast, and find ways to protect sensitive information without spending much money.
Whenever you connect two companies' networks together, you have to make sure neither company can get its hands on anything it isn't supposed to have access to. At the very least, you have to set up some kind of firewall or access control, and encryption would be a very good idea as well.
Why were we talking about network connections? That's where things get interesting -- and a little scary.
It's an old story, really. Our top executives decided we needed to outsource a people-intensive function to an outside provider that can hire workers more cheaply than we can. As is usual in such cases, the vendor is located in another country.
But the function being outsourced is part of HR, and that means the third party will be handling some of the most sensitive -- and most highly regulated -- personally identifiable information we possess.
Information security continues to mature as a profession, but the need for strong security measures remains an afterthought for most executives. That's what happened here. A contract was negotiated and signed, and no one thought to ask me a single question or even tell me what was going on. Now, too late, it's my problem.
That signed contract is the worst part. Had I been consulted, I would have advised putting the burden of providing secure services on the vendor. At this point, though, the vendor, quite naturally, is taking the position that we are responsible for any costs associated with adding security, including any costs that arise from taking up the time of the vendor's employees. We, of course, are not keen on spending a lot of money; after all, this contract exists because we were interested in saving money.
nother Bad Idea
Back to the problem at hand: I said we'd need firewalls and encryption before the service provider could have access to our network, but that meant the connection couldn't be set up as quickly as the executives wanted. Meanwhile, they want to burn the sensitive private data onto CDs to send to the vendor. Yikes! Compact disc -- a medium that will still be around long after our company has turned to dust. I can't get behind that idea. We'll have to either encrypt the data before burning it to CD or find another, more secure way to move it.
I'll soon be traveling overseas to visit that third-party vendor and see firsthand what kind of security practices it has internally. I have no idea what I'll find there, but I'm hoping I'll discover that the service provider is experienced enough in dealing with the private information of its customers that it already has good internal controls in place.
Maybe some good will come out of this. Our executive team now understands that we could get into a lot of trouble if we don't perform due diligence in protecting the personal information we're responsible for. Perhaps they'll think of security sooner next time. I'm not getting a lot of resistance from upper management, which is good, but I need to keep the costs of tacking security onto this service as low as possible. This supposedly money-saving plan is suddenly not looking as cheap as expected. That's not going to make me popular. But I guess I don't get paid to be popular.