As you may have noticed, outsourcing is on the rise. But it’s not just Ubers and the Gig Economy— IT and security outsourcing are one of the main areas impacted by this trend. According to Gartner, outsourcing IT Services is predicted to grow at 6-8% over the next five years, while IT Services internally is staying constant.
Outsourcing IT services represents several benefits: costs savings, access to specialized skills, agility, and many more. However, it also represents massive risks the potential to dramatically increase your overall threat surface.
The impact of outsourcing
54% of data breaches are the fault of negligent workers or contractors clicking on suspicious emails and websites, up from 48% last in 2016, according to cybersecurity research.
The rise in data breaches due to malware is tied directly to endpoint device management, contractor VPN access, and privileged credentials management. Often, contractors or consultants use their own laptops and work from cafes, airports, hotels, or home on networks that are not encrypted or protected. By using their own endpoint devices there is a risk they could introduce unwanted software into enterprise networks and applications. Also, contractor VPN access doesn’t prevent malicious software from entering into corporate networks and neither does it isolate or pinpoint just the applications the contractors are granted access to.
Managing privileged system credentials (corporate secrets) is equally important, as consultants assign tasks between staff, onboard new members rapidly, and offboard completed projects. The credentials that grant access to data sensitive and mission-critical applications create a risk when the contingent workforce members can exchange them between each other via email or other unencrypted mechanisms.
The role of compliance
For industries where data is especially sensitive like Financial Institutions, the risk only increases in today’s environment of expanding regulatory controls and organizational compliance. As such, organizations and their leaders - particularly CISOs, CIOs, CSOs and Risk Management leaders, must rethink their current approaches to vendor management and workforce compliance. For example, the Consumer Financial Protection Board (CFPB) has increased their scrutiny on financial institutions vendor management processes and frameworks in the wake of the 2010 Dodd-Frank Act.
Frequently, IT services vendor compliance rules are only defined in contracts and are only audited in manual processes. This is no longer sufficient. Information, risk, compliance, and security teams must balance the need to be agile, reduce IT costs, access specialized skill with the requirements for audit (SOC 2, OSFI, FIPS, GDPR, ISO), compliance, governance, and security.
The need for a comprehensive solution
Point solutions stitched together only continue to increase risks in today’s environment. To combat these increasing risks, organizations and their leaders need an all-encompassing solution that de-risks IT outsourcing and vendor management and provides a business solution for audit, compliance, governance, and security.Luckily, for CISOs and CROs, Tehama is a comprehensive platform that gives business and technical leaders the confidence and trust that their IT services providers can securely deliver services from remote locations or onsite. Our platform ensures CISOs, CROs, and their organizations can adhere to national regulatory requirements globally and provide the audit, compliance, governance, and security capabilities they need to stay agile. To find out more about Tehama at tehama.io.