Network security risks multiply when enterprises begin outsourcing

The network security risks of outsourcing technology jobs offshore are weighing heavily on the minds of IT executives, according to a survey — and with good reason. Opening network access to overseas firms without the right protections in place could leave an enterprise vulnerable to a network security breach.

“People don’t put in the same controls they would have for a remote employee,” said Rob Ayoub, global program director of network security at Frost & Sullivan. “The challenge becomes that those are added costs, and when you’re outsourcing to save money [while] you have to put in these compensating controls … it’s no longer such a savings.”

Organizations outsourcing technology jobs offshore in 2009 were “significantly” more likely to report an unauthorized network intrusion than those that didn’t, according to the 5th Annual Security Survey of IT Executives / Network Administrators by Amplitude Research Inc., commissioned by VanDyke Software.

Sixty-nine percent of 350 respondents said they generally felt outsourcing put network security at risk. Even many of the IT professionals within organizations that actually do outsource IT functions believe that outsourcing carries a network security risk. Of the 29% of respondents who said their companies outsource, half said this practice has a negative impact on network security.

“Certainly, when you outsource your work — say, outsourcing software development to somewhere like India — that does add a risk,” Ayoub said. “You have to implement protections around that to make sure your codes are not being stolen and limit access directly into your network controls.”

Applications can be targets for a network security breach

Hacks or unauthorized intrusions afflicted 42% of organizations in the past year, down from 48% the year before. When the survey began in 2005, 44% reported intrusions.

“Everyone is really good at patching Windows, and everyone’s pretty good at patching Office,” Ayoub said, but often they leave openings in other applications, thinking they won’t be targets. “I’m not looking to get into Adobe to get your PDF. I exploit a vulnerability in Adobe to get a good foothold into your network.”

Network security risks afflict even those who don’t outsource IT

But even organizations that keep their entire IT shop in-house can become vulnerable to the risks of outsourcing. Luis Wiedemann, a network manager for Florida-based law firm Broad and Cassel, has dodged any push to outsource his department, but he still faces pressure from vendors to expose his network to ordinarily unauthorized users.

“All of our application vendors insist on setting up a WebEx or GoToAssist session so they can take control and fix the issue themselves,” Wiedemann said.

“They also give me an attitude when I, depending on my mood, refuse access to our servers. They’re also putting these remote access demands in contracts as well, indicating they can’t guarantee support if they don’t have unhindered access to the servers their applications reside on,” he added. “This is a tough pill to swallow for any security or network admin and brings a tremendous amount of fear for the integrity of security, should something go awry from leaving RDP [remote desktop protocol] opened to the Internet.”

Network administrators presented with those ultimatums ought to look for different vendors. Vendors that outsource support have to be upfront with customers about their security best practices if customers are to trust them, Ayoub said.

“Customers have to vote with their dollars,” he said. “We do need a shift in mindset and willingness to stand up to some of the vendors on some of these issues. It’s a really, really tough challenge, but hopefully, if you’re a large enough institution, you could say, ‘I’m not going to do business with you without some kind of local support,’ [or ask] ‘What kind of compensating control do you put on that?'”

From: Jessica Scarpati, News Writer