Monday, January 12, 2009

The human factor

Many companies base a significant part of their manpower on outsourced workers, and this is an effective way to conveniently manage human resources that enabled financial efficiency in most cases. An aspect that many managers tend to forget is the issue of security. Are outsourced workers a source of danger to the company?

This post will anger many readers, I’m sure. After all, millions of people make an honest living as outsourced workers and many companies depend on them. However, the truth must be told, even if unpleasant. Outsourced workers could be a major security threat for the organization in many cases, and history records quite a few cases of serious damage suffered by companies that didn’t take the appropriate measures. No, I’m not saying outsourced workers are treacherous, bad or dangerous. In many cases this is exactly the opposite, because employees whose position is not secured as full-time employees will often outperform others to demonstrate their worthiness. However, the outsourcing model causes workers, esp. in the maintenance field, to be exposed to certain risks.

One problem stems from the fact that outsourced workers usually make a lot less money than FTEs. The economic pressure causes these employees to be an easy target for industrial espionage. For example, a known case involved a cleaner who was offered a significant amount in return for a daily visit to the floor-printers of his organization, and collecting the printed matter that was left there by other employees. These print-outs are of random content, but frequently include sensitive material, such as email correspondence, financial reports, future-product info etc. Such a random collection could be extremely valuable for hostile parties, both for industrial espionage and infrastructure penetration. The sum that was offered to that employee was larger than his monthly salary, and you’d be hard-pressed to find people who make 2000$ a month and can resist such a temptation. For some of them, this is a unique opportunity to finally get out of debt.

Another problem is that managers often ignore outsourced workers when thinking about their employees, and these workers are often excluded from routine activities. Often they don’t receive email that is sent to other employees (if they even have an account) or invited to events and lectures with the rest of the company. These employees might miss the companies’ procedures about information security, simply because these were never given to them in an orderly fashion. This is less obvious for technical staff, but in case of the cleaning crew, administration etc – these people are usually with the company for short periods and often do not receive thorough guidance about the procedures and guidelines. An FTE, for example, is often assigned a mentor or “buddy” for a while, who helps him get acquainted and learn what is permissible and what is not. A cleaner or security guard, on the other hand, often finds himself alone, trying to distinguish right from wrong by randomly asking co-workers or guessing. Such an employee might think that using another’s computer for surfing the web is a reasonable thing to do, just like making a phone call from someone’s phone is legitimate and common. In most companies, a phone call costs money, but is not dangerous. Web surfing, on the other hand, could introduce spyware or a virus to the computer, and that is less pleasant.

It’s important to stress once again that the purpose of this is not to impeach all outsourced workers, but to stress the great importance of them to the “system”. This requires that they be treated as equals. Even a temporary and low-ranking worker must receive a detailed guide, including the nuances of working at the company, and stressing the aspects of information security and security policies. Besides clarifying the importance of protecting the company values, such sharing of information could strengthen the bond between the employee and the employer, and reduce the temptation to cross the lines. Let’s not forget, by the way, the full timers could cross the same lines and there are many recorded incidents where even high-ranking officials succumbed to external pressure, or simply prepared a nest for a rainy day. This leads to one conclusion – there is no alternative to professional risk management procedures, which include identifying risk sources and plugging holes on a personal and systematic level.

No comments: