The Risky Business of Outsourcing
Are companies outsourcing too many of their critical information technology functions and exposing themselves to higher levels of risk?
t has by now become a cliche that information technology is one way to manage risk -- to facilitate the exchange of information, to gather strategic and tactical data. Another way is called outsourcing -- hiring an outside contractor to take over operations formerly run in-house.
So risk management has become a watchword for corporate America. And it's more true in high-tech business, where markets come and go faster than an arctic summer.
But to paraphrase Franklin Delano Roosevelt, in a comment then aimed at the U.S. Navy bureaucracy, if you push down a fluffy pillow in one spot another part of the pillow puffs out in equal measure. So too, perhaps, with risk. By looking to information technology and outsourcing to help reduce economic risk, companies are creating new perils in other areas. "Each computer modem, each fax machine, each cellular phone, each satellite dish that we regard as an indispensable tool of the information age can also be a tool for economic espionage," noted James Woods, chief information officer for Hughes Electronics Corp., at a recent conference on protecting corporate information.
This is no mere doomsaying. In one study, the Department of Defense Security Institute documented alarming and frequent breaches of electronic information security systems between 1987 and 1993. Most disturbingly, these breaches came at high-tech firms and government agencies most equipped, intellectually and technologically, to defend themselves. The list of victims includes AT&T, TRW, Martin Marietta, Grumman, Bell Labs and Pac Tel. Need statistical proof? An Ernst & Young survey of 1,271 companies found more than half suffered financial loss from computer security failures; the Council of Better Business Bureaus calculates losses of $5 billion annually to U.S. businesses due to computer crime; and another industry study recorded more than 900,000 successful computer intrusions in 1994.
Then there's the anecdotal evidence. At one financial services company, an employee electronically transferred $300,000 from the company's account to his own. Aldrich Ames for years tapped CIA databases he wasn't supposed to see.
And what of the dangers of outsourcing? There may be a risk that companies and government agencies are outsourcing the baby with the corporate bath water.
Hughes, for instance, has handed over management of its computer systems to Computer Sciences Corp. The company got $67 million for the assets and it shed more than 1,100 employees from the payrolls. But doubts linger. According to Hughes' Woods, "We are more concerned about what happens down the road, as new personnel without any allegiance to Hughes are hired. The other main concern we have is that our computer files are being co-mingled with those of our competitors -- stored together on the very same computers." The crux is this: If information technology is so strategic, why would the company outsource it? Organizations may find compelling reasons to outsource anyway, but they should at least raise the question, early and often.
As Washington Technology frequently points out, security products such as Internet firewalls, encryption and anti-virus software are widely available. But technology is only partly the answer. Ultimately, managing risk in the information age requires attention from the very highest levels of management, not just the chief information officer in the private sector or the information resources manager in the federal government. So far, when it comes to the perils of electronic information, organizations appear to be sailing far too close to the wind.