Outsourcing: out of sight, out of mind

When the Channel 4 programme Dispatches announced it had been able to obtain
the personal banking details of UK consumers, alarm bells sounded throughout the
outsourcing community. But it’s not the first time such a blunder has been made.

Over a year ago when a tabloid newspaper claimed it had purchased the
financial details of customers of several UK banks from an employee of an
outsourcing supplier in Delhi, there was equal dismay.

These breaches in security involving some of the biggest names in the
financial services sector have sparked concern over data management security in
outsourcing and caused customers and companies to question how safe their data
is in an outsourced environment.

The real issue was not that the call centres were offshore; there is nothing
to suggest that foreign call centre workers are any less moral than those in the
UK. But it does go to show that security breaches take many forms.

They can come in the shape of internal risk, such as data being stolen or
misused by an employee; external risk from outside the company, for example from
a threat such as a hacker; and IT risk which may be a threat posed by a virus.

The wooliness around the division of responsibility of security protocol is
often the reason behind security lapses. When working with a supplier, the issue
of responsibility is always a potential problem. This can often be exacerbated
by an ‘out of sight out of mind’ attitude that too many companies have with

Letting a supplier act independently of an organisation is risky and may
result in misaligned data management objectives and achievements. Contracts
should be structured to clearly define areas and divisions of responsibility.
Careful management and service level agreements are necessary to ensure that
there are no holes in any process.

As the problems behind security issues in outsourcing are often contractual,
there can be a power struggle between the end user and the supplier over who
leads the policy and who implements the operational aspects.

However, it does tend to be the end user who has the strategic influence and
drives the initiative. But this should be done in close collaboration with the
supplier, who will then be responsible for implementing the security procedures.

An outsourcing project, like any other business environment can never be 100%
secure, however, with forethought and insight, organisations can do their best
to protect themselves.

Andrew Rigby is a partner at Addleshaw Goddard

Related reading

tax dictionary