ISM robbery stokes outsourcing debate

Authorities in Regina earlier this month found the hard drive that went missing from services firm ISM Canada Inc., which contained the personal information of millions of Canadians.

According to police, the hard drive that disappeared Jan. 16 from ISM’s Regina offices carried a variety of information, including personal customer account information of a unit of the Co-operators Group Ltd., of Saskatchewan Telecommunications, of Saskatchewan Power Corp., of the Investors Group Inc. and many other Manitoba-based businesses.

While authorities were keeping mum at press time on where the disk was found and the identity of the culprit charged in connection with the missing disk, Sergeant Rick Bourassa of the Regina police department confirmed that one individual is in custody. He added that there is no evidence to suggest any of the information contained on the disk was used maliciously.

ISM, a division of IBM Canada Ltd., offers security services to clients, which include the likes of many government agencies and private businesses. So far, Investors Group, along with the Saskatchewan government, have terminated their dealings with ISM until the company can prove the data it handles is secure.

Despite the good news of having the disk back, the security breach has shed a negative light on outsourcing options, and has one expert assuring that one incident does not reflect the state of all outsourcing services.

“Personally, I think it is a real stretch to make the conclusion that outsourcing puts you at more of a risk than keeping IT in house,” said Dan McLean, director of utility research and IT outsourcing with IDC Canada Ltd. in Toronto. “The inference has been that this is going to have a bad impact on outsourcing no matter how you slice it. It is just because the circumstance was that this was an outsourced situation.”

McLean explained that businesses in general have historically been wary of outsourcing due to the risks involved. However, he added that the risks usually pertain to loss of control over operational aspects of a business, not necessarily security.

“When you have information stored on any number of hard drives out there, there is a vulnerability to it,” he continued. “The association that is trying to be made is through the inherent risk in outsourcing. But there is a risk in computing. Because there was a breach in security, does that in a sense make all outsourcing situations equally risky? I don’t believe that for a second.”

As far as WhiteHat Inc., an information technology security provider in Burlington, Ont., is concerned, it was improper procedures, not outsourcing that caused the breach in security at ISM.

WhiteHat CEO Rosaleen Citron told Network World Canada that the key is in the fine print of the outsourcing agreement. She explained that boundaries and determinations should be clear to establish a plan of action in the case of a compromise in security.

Citron also recommended that companies looking to outsource should question not just where their data is being kept, but how it is being kept, referring to ISM’s decision to load several companies’ information on a single drive.

Another issue brought to light by the recent incident is the question of physical security, or lack thereof in corporate environments.

“Everybody is worried about someone attacking you in a cyber fashion,” Citron said. “But, the simple fact is when someone picks up a hard drive and walks out with it, what is the devastation of that? Well, we’ve just seen it. People outsource in most cases because it will save them money. What do you think this [incident] is now going to cost? We are looking at lost business and falling share prices. You really have to think of everything and anything and put it in the contract.”