IT Managers Still Believe Outsourcing Poses Security Risk

Outsourcing is a fact of life now in corporate business, so much so that a recent YouGov survey found that 89 percent of IT managers in large UK companies have outsourced at least one IT system.

However, the same research commissioned by NCC Group, also found that 20 percent of IT managers believe that outsourced systems are less secure than those based in-house, “indicating a lack of confidence in outsourcing.” This is despite a separate PA consulting report that said that 31 percent of companies plan to outsource more over the next year, “suggesting that company bosses are more concerned with cutting costs.”

Meanwhile only 64 percent of the IT managers at medium-sized businesses surveyed expect their companies’ suppliers to have formal security procedures and policies in place, compared to 78 percent at large companies.

The NCC Group said that the outsourcing providers should be able to prove their IT security credentials.

“The security industry and IT managers are calling for suppliers to prove they are secure, yet companies choosing to outsource business critical systems simply aren’t asking the right questions, and are putting business critical functions at risk as a result,” said John Redeyoff, head of 365 assured at NCC Group.

“Businesses that fail to check their suppliers’ credentials, choosing cost and convenience over security, are investing in false economy.”

Meanwhile one analyst believes that there is no reason why outsourced systems should be any less secure than their inhouse brethren. “Obviously, there is always going to be a doubt about the benefits of outsourcing from internal IT teams, as in many cases outsourcing often results in reduced headcount,” said Nick Mayes, senior analyst at PAC Consulting.

“In reality, good security management practise should apply to both externally and internally managed systems,” Mayes added. “There is no reason why outsourced systems should be less secure than inside systems. Indeed, many outsourcers often have more rigorous security polices and processes, and in many cases they can improve the level of security that is provided.”

“Of course, when you take examples of security breaches, both internally and externally, if the security breech is external, it will always be a higher profile than an internal breech,” he added. “When you use an external partner it is easier to point the finger at them and say they didn’t do their job.”