IT Outsourcing Risks

When a third party service vendor starts providing an outsourcing service, the vendor may be given access to internal information which can pose certain risks to the organisation:

• the provider gains intimate knowledge of the people, IT infrastructure, procedures, approval channels, and even the weaknesses and limitations of systems (including both IT and non-IT systems) currently in place.
  
• the provider may be processing and handling critical information, systems and assets, and hence have access to sensitive or personal information.
  
• the provider may have valid user IDs and passwords with authorisation to access certain highly sensitive systems logically and/or physically.

Attackers and those with criminal intent may try to get hold of this internal operation information and use it for malicious social engineering activities. Together with the rapid advancement in technology such as email and the Internet, removable storage devices (e.g. small USB flash drives), and easy remote access to the organisation's information system, the risks associated with misuse of the system and data theft (including intellectual property theft) due to insider infiltration cannot be underestimated.

In fact, untimely termination of systems accounts and revocation of access rights to staff who are leaving the organisation may introduce security loopholes. In the worst case, if the systems in place do not provide for accountability and proper logging procedures, fraud as well as data security and breaches of privacy can occur without any trace being left behind.