Amit Jaju, Ankura Consulting Group on how to reduce cyber, data risks in an outsourced environment
By- Amit Jaju,
In 2022, firms would have spent more than $700 billion on outsourcing. Global outsourcing spending might reach $731 billion in 2023, with IT services contributing to up to 72% of total global outsourced valuations. Cost savings, greater quality, and the freedom to focus on core capabilities can all benefit the buyer of outsourced services. However, there are inherent hazards to outsourcing, one of which is that the buyer loses control over the vendor’s staff, increasing the possibility of fraud. Due to India’s low labour cost, highly skilled and trained personnel advantage, outsourcing of different domains and sectors will continue to rise over time in India, making it an appealing arena for fraudsters and white-collar criminals which can adversely affect a variety of business departments, including IT, HR, marketing, and operations.
Cyber and Data challenges in an IT outsourced environment.
IT outsourcing fraud is one of the most important and prominent areas of focus for enterprises due to concerns about data protection, cybersecurity, moonlighting, and so on. Large IT outsourcing service providers frequently subcontract work to small organizations in order to manage manpower and labour costs more efficiently; however, this increases the risks associated with data leakage and confidentiality.
When several IT service providers and subcontractors are engaged, organizations frequently confront syphoning off IT equipment for personal advantage and use. Although many firms keep proper inventory of their IT assets, peripheral inventory of devices such as keyboards, headphones, mice, and so on is frequently neglected.
IT outsourcing compounds the matters further because there is insufficient verification data to maintain hardware inventory and even the data available is sourced from the IT service provider involved in the syphoning off the equipment.
Furthermore, even outsourced IT employees have access to critical information such as network maps and architecture, data backups, and in some cases administrative privileges on specific systems, making them an appealing target for cyber-criminals. Several large threat actor groups are known to employ IT employees (both in-house and outsourced) as potential attack vectors for reconnaissance and privileged access.
These issues are exacerbated when businesses outsource their IT infrastructure to shared cloud service providers. The level of risk faced by a company that uses a cloud service provider is a combination of internal risks and risks faced by the cloud service provider. Because of the cloud’s pay-as-you-go model, even minor configuration changes knowingly or unknowingly by an organization’s outsourced employees can result in significant costs.
Outsourcing Frauds in Marketing
In addition to IT, many Indian businesses have outsourced their marketing responsibilities in order to increase sales and boost their social media presence. There are numerous companies that claim to boost Social Media followers. While this may appear to be enticing, the only followers you will obtain are fake. Some digital marketing firms even claim to boost your presence on Google search results pages within weeks. They will almost definitely use illegal and unscrupulous ways to accomplish this, as significant improvements in your search rankings might take months, if not years.
Outsourcing content and advertising is also a major concern for large organizations, owing to the political and religious ties of certain ad agencies, which frequently leave a bitter taste or unwelcome controversies for firms to deal with.
Data risks related to HR and Payroll outsourcing.
The human resources department is a vital part of any company and a veritable treasure mine of personal information. Some companies turn to HR outsourcing as a long-term fix to handle all of their HR requirements or to augment their current HR workforce. But when outsourcing is involved, there is a chance that private data, including employee information or internal corporate data, could be exposed to the risk of being secretly shared with HR providers. Organizations must also be wary of recruitment frauds, as well as phony employee or payroll scams.
Payroll fraud is a prevalent type of fraud that occurs when large multinational corporations outsource their payroll and reimbursement processes to third-party service providers. These service providers collect Payroll, Reimbursement, and Expense information from employees and forward it to the parent/headquarters for processing. Many service providers are known to add fraudulent personnel, irrelevant expenses, fake reimbursements, and other items to inflate the amount that is subsequently syphoned off the company’s accounts without verification and a proper maker-checker procedure.
How is moonlighting driven by outsourcing?
Following the COVID-19 outbreak, organizations are grappling with the issue of moonlighting. Moonlighting involves doing a second job in addition to one’s existing full-time job. Because the overwhelming majority of outsourcing service providers employ teams on a contractual basis, outsourcing of various job tasks just aids individuals who moonlight. Moreover, many outsourced projects require employees to operate in different time zones, which, when coupled with work-from-home settings, facilitates moonlighting. While moonlighting is a legally murky area due to present legislation, it is a severe danger to an organization’s cyber security and data privacy. Outsourced staff working for competitors can have serious consequences for business revenue, financials, and data security.
How to reduce Cyber and Data risks in an Outsourced environment?
Vendor Due-diligence: Before onboarding a vendor, it is important to perform thorough due diligence on the vendor in terms of their background checks and IT controls.
Oversight and Accountability: Large corporations sometimes outsource entire teams and departments to third-party entities, leaving little or no room for monitoring and oversight. Instead, organizations must have comprehensive oversight and accountability for all outsourced work. Additionally, subcontracting of work by the initial outsourced service provider must be either discouraged or should be accompanied by sufficient security measures.
Vendor audits: Outsourced service providers must undergo quarterly or biannual cyber audits to detect data leaks and vulnerabilities in outsourced employee systems. Playbooks must be created to address eventualities such as moonlighting, distributing credentials on the dark web, fraudulent transactions, and so on depending on the department and services outsourced.
Service Provider Rotation: Another strategy to avoid such scams is to rotate your outsourced service providers every few years or quarters, depending on the criticality of your business functions.
Insurance: Having insurance coverage around any financial loss caused by the vendor helps in case of such occurrences.
The Indian outsourcing business handles customer support and other back-office activities for Western and global corporations across job functions and sectors. The industry is creating jobs at an unprecedented rate, and its revenue is increasing year after year; yet, it is also one of the industries receiving increased scrutiny due to Cyber and Insider threats, and it is particularly susceptible to fraud. With India enacting its own version of the Personal Data Protection Bill, it will be critical for the outsourcing business to adhere to high data and security requirements, thereby averting some of the aforementioned scams.
The author is Senior Managing Director at Ankura Consulting Group (India).
Disclaimer: The views expressed are solely of the author and ETCIO.com does not necessarily subscribe to it. ETCIO.com shall not be responsible for any damage caused to any person/organization directly or indirectly.