Outsourcing Security Issues
If you’re confused about some of the security ratings we assigned in our A – Z Site Reviews, or if you’re not confident that a particular outsourcing service is as secure as it claims to be, you’re at the right place!
Unbeknownst to us, our computer and Internet security articles, originally purposed as writing samples, couldn’t have played a more important role on this site. We know security plays a significant role in outsourcing, but we never gave it that much attention because for the most part, the type of outsourcing that we focus on – online outsourcing – provides a big chunk of it.
All of the popular outsourcing sites, in fact, provide the security we’ve come to expect from net-connected brand name institutions. And unless a project specifically addresses security, such as a networking project or an anti-virus project, we don’t expect to see it as a requirement.
We simply don’t see an RFP requesting a graphic banner design AND an extended validation SSL certificate, for example, or a bid request asking for both a commercial jingle AND an encrypted TLS connection. Valid SSL certificates, encrypted connections, and all other security amenities are a part of online outsourcing that all of us in this industry have come to expect.
But there’s a problem.
Some online outsourcing services lack even the most basic protections… if they’re not entirely void of them. Critical security measures are MIA, and despite the consequences, some people will use them anyway — not because they don’t care or because they have some weird penchant for taking risks with their personal data. It’s because an outsourcing site’s security isn’t always clear.
Outsourcing Security Can Be Confusing & Hidden
Take a look at how Chrome indicates both secured and unsecured connections, for example.
Can you tell which one of these icons indicates a website that uses SSL… a.k.a, a Secure Sockets Layer…. a.k.a, cryptographic protocols that provide secure communications? Can you tell which icon indicates a website lacking these protocols?
Surprisingly, each one of those icons indicates a website that uses SSL, but only one indicates a safe and secure SSL connection. Google explains the visual difference among those icons on its website security indicators page:
It’s only with this information, embedded in an online help page, that people can adequately determine whether an outsourcing service accepts private information (name, address, credit card number, etc.) in a secured manner. And it’s only through right-clicking the appropriate menus, that people can determine a service’s security certification, as demonstrated below.
It’s also only when accessing a website beginning with https://, people can ultimately access these types of relevant warnings:
An unsecure outsourcing site as displayed in Chrome. 
An unsecure outsourcing site as displayed in FireFox. 
An unsecure outsourcing site as displayed in Internet Explorer.
Even more concerning, it’s only when people enable the proper browser security settings, they can even get these alerts at all.
Chrome’s “Under the Hood” settings.
Outsourcing Security Can Be Faked
Complicating the issue even further, a lesser-known outsourcing service may use a fake SSL certificate to trick a browser into displaying “safe site” icons, and dupe users into thinking it’s secure when it isn’t.
Fake SSL certificates aren’t anything new, and they’re relatively easy to employ by anyone for any reason – even if that reason is nothing more than to appear trustworthy. They’ve been around since the early 2000s as far as we can remember. And although the ability to detect and thwart fake SSL certificates is improving, they continue to exist, they continue to manipulate browsers, and they continue to trick people.
What To Do
First, acknowledge that these outsourcing security issues aren’t going anywhere anytime soon. As long as we have individuals who jump onto the job board bandwagon without fully considering the responsibilities, we’ll always be faced with questionable practices and the outsourcing risks they create as a result.
Second, besides correctly setting your browser’s security options (in addition to updating your anti-virus software), you can refrain from using an outsourcing service that you’re unfamiliar with (or any unfamiliar website for that matter). Do not give a new, hardly used, or unknown service one bit of your personal information until that service has earned a reputation for being safe and secure.
Ask questions. See what others have to say about a site before even thinking about loading it into your browser, and make valid SSL certificates, encrypted connections, and all other security amenities nonnegotiable outsourcing requirements.
With so much news reporting hacking, identity theft, and online crime today, you can’t afford to do anything else.
External Resources:
1. Outsourcing Information Security (Computer Security Series)
2. Outsourcing Security: A Guide for Contracting Services
3. Preserving Privacy in Data Outsourcing (Advances in Information Security)
