As the economy sinks and budgets are squeezed, outsourcing looks more and more like a thrifty necessity. But when it comes to the data security of those far-flung offices, businesses may find they get what they pay for.
A study released Tuesday, compiled from surveys of information technology managers and users in 10 countries, reveals an alarming gap between the information-security practices of developed countries and those of emerging markets like China, Brazil and, to a lesser degree, India.
In pictures: Companies that profit from your data
The research, which was commissioned by Cisco Systems and carried out by research company Insight Express shows that 75 per cent of Brazilians and 66 per cent of Chinese executives either weren't sure about their employees' data-sharing practices or believed that their employees shared corporate information with those outside the company, compared with 47 per cent of IT managers in the US.
In pictures:
Gadgets for stopping identity theft
Seven tips for keeping kids safe online
Interviewing users, Insight Express found that Brazilian, Indian and Chinese employees were the most likely to alter or remove security settings on company-issued laptops. Chinese users, in fact, were three times as likely as the average respondent to tamper with their machines' security software. And users from those three countries were also the most likely to engage in other risky behavior on work PCs, including reading personal e-mail, downloading music and video and even peer-to-peer file-sharing, a practice that often spreads malicious software or inadvertently gives outsiders access to sensitive documents.
In pictures:
The year's biggest cybercrime
Given that only 10 nations were included, the study's results shouldn't cast aspersions on India, China and Brazil specifically, warns Cisco's vice president of network security Marie Hattar. But the numbers show that inexperienced IT industries may not share the developed world's emphasis on security and privacy, she argues. "Starting with call centers, companies are outsourcing more knowledge workers than ever to countries like China and India," Hattar says. "But because those countries haven't seen the outbreaks and attacks that happened here five or six years ago, the focus on user education there hasn't been very strong."
Developing-world citizens weren't the only ones to reveal their security idiosyncrasies. More than one-fifth of German users in the survey said they would allow non-employees to wander around their offices without an escort. And more than half of Japanese users said they didn't bother with precautions to guard their data when working in a public setting, measures like speaking softly on business calls or checking for bystanders reading over their shoulder.
But when it comes to practices that make chief security officers cringe, Brazil and China take special honors. Among IT managers, 78 per cent of Brazilians and 84 per cent of Chinese IT managers said their employees used unauthorised software on work computers.
Sixty-three percent of Chinese IT managers said they'd had to deal with employees gaining access to unauthorised parts of their network or building. And 39 per cent of Brazilians said they'd share their company's sensitive information with friends or family, compared with just 16 per cent of Americans.
The perils of handing precious data to outsourced employees are more than theoretical. In July, the medical records of 45 patients of Grady Memorial Hospital in Atlanta, Ga., were shared on the Internet. The task of managing the data had been outsourced to a Nevada-based contractor who, in turn, outsourced it to a firm in India that posted it to the Web, according to reports by the Atlanta Journal-Constitution.
Privacy consultant Larry Ponemon told Forbes.com in June that he's consulting with a major financial institution under investigation by several states' attorneys general regarding a major data breach. The company, Ponemon says, provided data from 6 million customer accounts to a marketing firm in Southeast Asia. That information later reappeared on a Central Asian site dealing in black-market credit card account numbers.
Outsourcing debacles like these may be contributing to the overall trend in cybersecurity threats: Companies are suffering less from hackers and more from employee gaffes, says IDC analyst Brian Burke.
For the first time this year, IDC's annual information security survey revealed that information security officers were more concerned with stopping employee-caused data breaches than with guarding their networks against malicious software--which had ranked as their top concern for the eight previous years. A report from the Identity Theft Resource Council showed that the fraction of data breach incidents caused by employees intentionally stealing information in the first half of 2008 was more than double that of last year.
IT executives are taking notice, IDC's Burke says. "Information is the world's new currency, and high-profile data leaks have become much more of a driver of IT spending," he says. "So these numbers may raise some alarms for organizations opening offices in locations overseas."