Commentators in Computing have been writing a lot about the security threats facing us all in the IT industry these days and offshore outsourcing opens companies up to cross-border risks far beyond the usual organisational threat. With global supply chains comes greatly increased risk to the company.

Recently, I’ve been fielding more calls than usual from commentators in the industry trying to gather information on the security threats involved in offshoring. Newspapers have been calling, company leaders have been calling, and even the UK government has called me on this topic. And yet, I’m wondering to myself, what has changed recently? It’s always worth recalling a few basic points about offshoring risk though and keeping those thoughts fresh.

The main security threat everyone is afraid of in the offshore environment is a breach of personal data – employees or customer data being ‘lost’ or sold on the information black market. This is typically the fear of those with customer contact centres, and therefore employing a large number of people with access to the customer data of your own organisation. There have been a number of newspaper sting operations and even a Channel 4 documentary about this over the past couple of years. We all know the story – low-paid offshore call centre worker ready to sell personal financial data on UK consumers for a few meagre dollars. Only the money is not so meagre these days, so we might expect the risk to be increasing, as criminals are getting savvier about how outsourced operations function.

I think there are three quite separate areas you need to audit and examine if you have an existing commitment with an offshore supplier that involves the processing of sensitive data, or if you are considering which supplier to use:

Legal: In the legislative environment you have chosen, what kind of deterrent is there from the law to help prevent information theft? If there are measures in law to protect you then what actual case precedents exist – it may be that the law exists, but the process of going to court takes many years or is just too painful for other reasons so try to determine how well the law really protects you.

Process frameworks: You want the supplier to guarantee it will use process frameworks such as BS7799 to ensure that the business processes are secure, according to internationally agreed guidelines.

Additional measures: On a company-by-company basis you will observe that some suppliers go much further and are more secure than the process frameworks require. Make sure you determine how secure you need to be and work with a supplier who understands that data will not be secure, just because they passed a security audit.