The security of business processes, particularly those based on IT (information technology) systems, is at increased risk when the processes are outsourced, especially during difficult economic times. This chapter examines factors affecting the cyber security of BPO (business process outsourcing) and argues that the combination of effects of outsourcing and the economic environment leads to even greater levels of risk than do the individual components. Suggestions are made as to how the risks might be mitigated.
TopRisks Of Outsourcing
As business processes are moved outside the organization domestically or offshore, they usually become more dependent than previously on communications networks in order to connect outsourcers and client organizations. The economics for long-distance and international communications greatly favor the use of the Internet public network over private networks. Even when the communications are between known and trusted entities and individuals, the use of public networks exposes systems to cyber attack by others.
Often, outsourced business processes rely on computer systems that were developed for internal use by trusted employees. When access to these systems is granted to a service provider’s employees, different access rights may be appropriate. However, restrictions on access to sensitive data, and on the handling of such data, may not be feasible with the current systems nor may the client organization realize the need to restrict data access and the functional capabilities of computer applications.
Another important, if not the most important, risk of outsourcing is that which relates to humans. Third-party service providers’ employees may not have the same commitment to the client company that internal employees do. They may not have the understanding of the business environment and processes of the client company, nor sufficient training in regard to security and privacy. When the service provider is located offshore, other factors must be considered relating to differences in culture, language, physical and cyber infrastructures, legal and regulatory requirements, time zones, travel distances, and so on.
While there are certainly variations among researchers with respect to specific risk categories and their scope, for the most part there is commonality, as the mapping in Table 1 illustrates.
Table 1. Lists of risk categories from different reference sources
| (Axelrod, 2004) | (Tho, 2005) | (Rost, 2006) |
| Loss of control | Loss of organizational competencies | Inadequate governance
Loss of control over key information, crucial knowledge, and technical staff |
| Viability of service provider | Business uncertainty* | Buyer’s business continuity |
| Relative size of client and service provider | Dangers of eternal triangle* | Loss of leadership in business relations
Distribution of risks between buyer and seller |
| Quality of service | Service debasement | |
| Empathy | | Underestimating backlash and resistance of the existing in-house team |
| Trust | | Sly and unfair providers
Vendors working for competitors |
| Performance | Possibility of weak management*
Fuzzy focus* | Risk of failed projects
Management of distributed projects might turn out more challenging than expected |
| Lack of expertise | Inexperienced staff* | Outsourcing unsuitable projects |
| Hidden and uncertain costs | Transition/management cost
Increased cost of services
Hidden costs
Endemic uncertainty* | Underestimating communications costs
Dynamic of costs |
| Limited customization and enhancements | Loss of innovative capacity*
Technological indivisibility* | |
| Knowledge transfer | Loss of organizational competencies
Lack of organizational learning* | Loss of control over key information, crucial knowledge, and technical staff |
| Shared environments | | |
| Legal and regulatory matters | Disputes and litigation | International litigation may turn challenging |
| Extrication | Lock-in | |
* Source: (Earl 1996)