Theft of Outsourced Customer Data Growing Challenge for Corporations

Bracknell, UK (23 June 2005) – In the wake of today’s reports about outsourced customer data being sold in India, it is clear that enterprises need a strategy for ensuring that the same security standards they place on their corporate data are being placed on the companies they partner with across the globe to process their customers’ financial and personal information.

Paul Henry, an IT security industry expert with CyberGuard Corporation (NADSAQ: CGFW), has created a list of recommendations for enterprises to ensure that their customer data is not compromised and they can continue to enjoy the benefits of outsourcing critical data to the right partners.

Mr. Henry serves as an expert commentator for a variety of media outlets, including NBC Nightly News, CNBC-Asia, Power Magazine, Secure Computing Magazine, ISA Publication Industrial Computing, the Miami Herald, San Francisco Chronicle and many others.

“I am appalled at the apparent disregard for network security we are seeing in offshore outsourcing firms,” said Mr. Henry. “One can only assume that part of the cost savings that European firms who choose to outsource are benefiting from is due to the reduced expenses the outsourcing partners have in not having to meet the same security standards as European organizations.”

Added Henry, “In view of the lower wages and hence lower cost in outsourcing one must also consider that the cost to potentially compromise an individual’s integrity is also proportionally lower with that same outsourcing partner. In light of this consideration clearly the security controls set in place for an outsourcing firm must be more stringent than those that would have been in place had the organization kept the task in house.”

Henry concluded, “First, as we recommend to companies across the globe, a strong security policy must be put in place and followed vigorously. Then you must be extremely careful to ensure that the companies you outsource data to fully support the policies, procedures and technical safeguards you have put in place to protect your client’s personal information. A chain is only as strong as its weakest link – don’t let your outsourcing partner become your weak link. This goes beyond perimeter security to include physical security as well as both access and application controls. We are starting to see this problem in India, and unless enterprises are diligent protecting their data it will explode out of control like identity theft.”

Paul’s recommended tips:

o Firms that outsource their data to call centers should ensure that the security policy, procedures and technical safeguards utilized by the outsourcing partner are equal to or better then their own;
o Both regular and random risk assessments should be carried out on the call or outsource center, especially if it is located in a high commercial risk area geographically where bribery and corruption are endemic. Risk assessments should cover all 10 domains of network security and should not be limited to gateway security.

At the call center the following should be done:

* Encrypt all data in storage and in transit;

* Physical security controls should be in place to mitigate the risk of data leaving the facility via magnetic or optical media, recording devices, cameras and hard copy;

* Ensure that all data sent in and out is monitored or even prevented, by email, web mail, FTP, data and file transfer websites (by controlling website access); only essential internet communication should be allowed;

* At the desktop prevent any unauthorized data entering or leaving the network via USB (USB sticks), and fire wire devices (i.e. iPods), CD, DVD, floppy drive, SCSI, Parallel or any of the other ports;

* All employees should be vetted for criminal records and credit history to see if they are a high security risk. Simply put, if you can not manage your own finances you should not be entrusted to manage the financial records of others.

About Paul Henry
Mr. Henry, Sr. Vice President of CyberGuard, has more than 20 years experience with security and safety controls for high-risk environments such as nuclear power plants and industrial boiler sites. In addition to his CISSP certification, Henry holds many other security certifications such as MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISM, CISA, and CIFI.