An epic problem

“Mommy and Daddy, where do hackers come from?” 

If your child asked you this question, one of the most accurate answers would be Russia.  If you ask someone this question in the information technology security field, you are likely to get that answer.  It has been a long known fact in the I.T. world that a majority of hackers and malware originate from outside the United States, with Russia being one of the primary sources. 

This is no fairy tale!  This fact has been substantially confirmed over the past years by literally thousands of security incidents involving hackers from Russia and Eastern Europe, affecting both individuals and businesses.  Spamhaus.com reports that 7 of the top 10 spammers in the world are based in the former Soviet Union and an article published by Bloomberg Businessweek in October 2010 titled Russia’s Cybercrime Thrives as Schools Spawn Hackers sums it up with a quote from U.S. Senator Kirsten Gillibrand, “the cybercrime threat coming from Russia is significant and growing.” 

I want to be clear that the security threats are worldwide, not just from Russia. Several other countries stand out as well such as China, where hackers have gotten a lot of attention lately, especially with last year’s Google Gmail hack which targeted many top U.S. companies.

Elsewhere, India’s outsourcing industry has suffered from a number of security scandals over the years, including an HSBC call center employee based in Bangalore who was accused of selling customer credit card details to people in Britain, who then skimmed thousands of dollars from the customers’ accounts.

Factoring in the threats coming from other countries and our own, the threat of hacking and identity theft is at epic proportions.

Why it matters to your agency

This is occurring halfway across the world, so what does it matter to you and your agency?  The fact is that even though these crimes originate from a land far, far away, they can affect your agency.  The purpose of this article is not to scare you, but to shed light on the fact that some I.T. companies, although based in the United States, keep service and support staff overseas.

You may not realize it, but if your I.T. service firm outsources its services, some of your critical information can be in the hands of support technicians located overseas.  More importantly, if you are familiar with your IT provider’s staffing, do they have measures in place to ensure your data will remain secure, with protection against this liability?

The reasons can vary, but increasing competition and pressure to cut costs are often motives behind support staff outsourcing.  But at what cost does a company trust their outsourced staff whom they probably never met?  It potentially puts their client’s networks and vital information including names, social security numbers, credit card numbers, and more in jeopardy.  Not to mention, it doesn’t support the domestic economy.

What to look for

In light of potential problems, there are some simple steps to take when considering the security of a potential I.T. service provider.  So, what can you do if you want to receive the full support of a 24 x 7 I.T. staff without risking the outsourcing of your network overseas?  There are a few simple questions that one should ask when making an assessment.

·         Where is their network operations center (NOC) located and staffed?

o    Do they have secondary services provided from outside the NOC?

·         Do they outsource any of their operations or service work overseas? If so,

o    Where are they located?

o    Do they have direct access to our system?

§  If so how is that access supervised, documented and logged?

·         Does any of the code contained in their software originate overseas?

o    If so which products are those?

·         What measures do they have in place to ensure their client’s networks are secure?

·         Have they visited the overseas location(s)?

·         Have they met every single engineer, who services your system?

·         What are the technical credentials of the remote workers?

·         Are they bonded and is the work performed by the outsourced employees covered?

·         Do they have a Cyber-Insurance policy with the proper coverage for potential incidents?   

For addition information, the SANS Institute, a leading organization for security training and resources, released a report called, “A Security Guide for Acquiring Outsourced Service.” 

Conclusion

In today’s world outsourcing your I.T. service and support may be necessary to get the talent and knowledge needed to keep the competitive advantage, but when doing so you must choose your providers carefully.  Know who will be accessing your system, what they are doing, and where the service originates from.  Make sure the hand that rocks your server doesn’t wreck your agency’s reputation and finances.