When it comes to operation costs, human labor is the most
significant expense for any company. It has long been a common practice for
companies across the globe to look for—and find—cheaper goods and services in
other countries.

It’s a fact of life that successful companies minimize cost
to maximize profits. Since the major cost for companies is human labor,
minimizing that cost with overseas outsourcing is one way to increase
profitability. Outsourcing labor to other countries as a cost-savings measure
is nothing new.

In the information age, it’s a common practice for companies
to outsource business functions overseas that they don’t consider
“cost-effective” domestically. This is where traditional methods
collide with Internet and information security.

I am by no means suggesting that companies shouldn’t
outsource their business functions overseas. However, it is imperative that
companies make sure they enforce the same rules and regulations that apply
domestically.

Cheaper labor doesn’t always translate directly into cost
savings. Many companies neglect to consider factors other than cost when
outsourcing overseas, such as security and privacy.

For example, one company outsourced to another until medical
records for a California hospital ended up in Karachi, Pakistan. A medical
transcriptionist in Pakistan threatened to publish patient records on the
Internet because her employer had not paid her.

It wasn’t good publicity for the hospital, and it was a terrible
breach of security and privacy for the people involved. And, because the woman
works in another country, U.S. regulations are virtually unenforceable.

There are also numerous cases where audits of software
developed overseas have uncovered unexpected vulnerabilities. Make no mistake:
The same security concerns apply for any company using offshore technical
services, especially when the Internet is involved.

Companies expecting to save costs by using overseas labor
may find that saving money is less important than protecting information
security. While there’s no way to completely ensure security, there should
certainly be restrictions on what exactly companies can outsource. In addition,
there are some areas that companies should never outsource in the first place.

Remember: Outsourcing takes security out of your company’s
hands and puts it into the hands of another organization—and you must be sure
you can trust its security measures completely. Companies need to monitor their
own behavior when it comes to offshore outsourcing.

In my opinion, it’s inevitable that companies will
eventually change their economic models to include information security. But in
the meantime, most companies forget entirely about security and privacy
concerns in an effort to save costs.

Miss an issue?

Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
column.

Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Monday.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.