ACADEMIA Letters

Cybersecurity Risks in Outsourcing Strategies

Micheline Al Harrack

In today’s global interconnected world, organizations – both in the private and public
sectors – rely on outside providers to fulfill their supply chain needs either for software, in-
formation technology, services, products, or partial components of these deliverables. They
themselves might become a provider to other enterprises leading to a more complex supply
chain. With that, an enterprise loses visibility into its supply chain and control over it as-
suming the providers’ known and unknown risks in addition to the organization’s own known
and unknown risks. This paper discusses outsiders’ threats in outsourcing strategies while
recognizing the existence of insiders’ threats.
In fact, outsourcing has become an ubiquitous business process where organizations re-
linquish lower-value functions such as payroll or even parts of the value chain that are more
central to their business processes (Buia et al., 2018). With the main motive to outsourcing
being cost reduction and specialized expertise at lower-value or peripheral functions, there
is an increased risk that an enterprise’s capabilities might be exceeded by one or more of its
providers in a data and intelligence driven world. It is increasingly hard for companies to dis-
associate themselves from the digitized supply chain ecosystem. What might have started as
business effective and efficient arrangement could turn into an unhealthy dependency threat-
ening competitive advantages and strategic plans on the business level and far more critical on
the cybersecurity level to extend to personal data loss, financial loss, compromise of product
integrity or safety, or even threat to life (Boyens et al., 2021). The National Institute of Stan-
dards (NIST) considers that cyber risks associated with the loss of visibility and control over
the supply chain can be significant ranging from the inability to define the primary source of
a piece of hardware embedded in an organization’s physical infrastructure, or the provenance
and risks associated with a piece of software in the digital infrastructure, to the problem of
contractors and consultants having access to its critical data and trade secrets. These ranges

Academia Letters, November 2021 ©2021 by the author — Open Access — Distributed under CC BY 4.0

Corresponding Author: Micheline Al Harrack, [email protected]

Citation: Al Harrack, M. (2021). Cybersecurity Risks in Outsourcing Strategies. Academia Letters, Article
4161. https://doi.org/10.20935/AL4161.

1
of risks associated with the Cyber Supply Chain Risk Management have come to be known
the cybersecurity aspects of C-SCRM. They have evolved from simply targeting Information
and Communication Technology (ICT) supply chains to cover digital products and services
outsourcing.
With more businesses becoming digital and moving their businesses to the cloud envi-
ronment, the effects of a cybersecurity event are enhanced. Threat actors are targeting cyber
mature organizations through third-party suppliers to take advantage of this weakness. Orga-
nizations cannot fairly assess and secure the whole landscape of their exposure potential as
the field extends beyond their infrastructure to encompass part of the suppliers’ chains linked
to other suppliers’ chains. This complexity amplifies the magnitude of any cyber breach. The
recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software
against multiple Managed Service Providers (MSP) and hundreds of their customers is the
latest example of the striking reach of such risk events and butterfly effect damages (CISA,
2021). Barrett (2021) explains that hacking an MSP which provides IT services to companies
that prefer outsourcing such activities is similar to stealing a bank manager skeleton key rather
than cracking one safe deposit box. An MSP is often compared to a mother ship for small and
medium size organizations. The Kaseya breach equates to attacking the mother ships of all
these organizations dependent on the MSPs affected, according to John Hammond the cyber-
security researcher at Huntress. The extent of the damages is still unknown. This highlights
the fact that the risks of the extended supply chain and outsourcing strategies are high and
still not fully understood and controlled by organizations as they move parts of their oper-
ations and systems into the digital world and decide to outsource these components. Mead
et al (2009) address the risks of globalization and the impact on the supply chain based on
outsourcing strategies. They weight the argument of cost/benefit against the security of soft-
ware developed elsewhere beyond quality and liability factors. They base their research on
the outsourcing models defined by Shao & David (2007). The main four models focus on the
Information Technology sector but can be an example applicable to other sectors. Under these
four models the outsourcing strategies are:
1) Onshore in-Sourcing where all services are kept in house with more control and visi-
bility into the processes and security,
2) Onshore Outsourcing where both clients and providers are domestic. This strategy is
the most used in outsourcing strategies,
3) Offshore In-Sourcing carried by large intercontinental companies that set part of their
chain and operations abroad in less developed countries, such as India, to capitalize on low
labor costs or proximity to materials and markets, and
4) finally, the Offshore Outsourcing strategy combines a foreign location with an external

Academia Letters, November 2021 ©2021 by the author — Open Access — Distributed under CC BY 4.0

Corresponding Author: Micheline Al Harrack, [email protected]

Citation: Al Harrack, M. (2021). Cybersecurity Risks in Outsourcing Strategies. Academia Letters, Article
4161. https://doi.org/10.20935/AL4161.

2
supplier.
Different models of outsourcing strategies identified earlier by Lacity & Hirshheim (1993)
focused on:
1) body shop adequate for short-term needs such as contracting programmers managed
by internal staff,
2) project management strategy where the parent company outsources and staffs the project
like contracting out a disaster recovery project, and
3) finally, total outsourcing where the provider is in total control of most of the work
involved. Clearly, there are significant reductions in costs when outsourcing is adopted how-
ever, the cyber risks need to be considered as well as if they can be mitigated and at what cost.
These concerns are similar to classic concerns in a project: physical risk, insiders’ threats,
development and implementation risks resulting in flaws. Admittedly, these concerns are not
unique to outsourcing but the assumption is they can be more visible and accessible internally
and potentially addressed adequately and timely. Mead et al. (2009) argue for a capability
certification given the multitiered arrangements in software, services, and products contract-
ing. Understanding and assessing vendors competencies and security processes helps ranking
vendors and ultimately recording them in a repository such as ISO to ensure there is a com-
mon basis or accrediting trusted vendors worldwide. The authors emphasize the need to make
sure that the supply chain underwriting complex and sensitive is free of weak links. This
concept is mirrored by Benaroch (2020) advocating for a market-based trust involving market
mechanisms that reward and penalize ITO service providers and the need to obtain cybersecu-
rity certifications from independent, trusted third-party agencies to remedy outsourcing cyber
risks. Benaroch (2019) outlines the cybersecurity risks in the ITO context exacerbated by the
following factors:
1) Inability to quantify providers’ cyber risk exposure due to lack of knowledge of vul-
nerabilities, potential damage, and frequency. Since risks arise from the providers’ partners
supply chain, it is more diverse and evolving making it less predictable,
2) liability asymmetry: ITO providers seek to disclaim liability to avoid paying damages
exceeding the revenue generated. Clients are concerned that ITO providers do not have enough
incentives to protect clients’ data and systems vehemently,
3) Opaque supply chains: ITO supply chains involve increasingly complex systems and
operations where lack of visibility limits the potential to control cybersecurity risks,
4) Growing regulatory demands in the US, UK, EU and other places make it almost impos-
sible for ITO providers to be compliant with all regulatory requirements as data and services
flow between regulatory perimeters, and
5) Strategic imperative as most organizations including government do not consider cy-

Academia Letters, November 2021 ©2021 by the author — Open Access — Distributed under CC BY 4.0

Corresponding Author: Micheline Al Harrack, [email protected]

Citation: Al Harrack, M. (2021). Cybersecurity Risks in Outsourcing Strategies. Academia Letters, Article
4161. https://doi.org/10.20935/AL4161.

3
bersecurity as an operational concern but rather a strategic imperative due to the data handled
and the potential of being targeted by threat actors imperiling national security and public
trust.
The author proposes managing the ITO client-provider cybersecurity risks by establishing
a client-provider trust approach based on either the transparency-based view, the decision-
theoretic view, or the market-based view. He finally pushes for adoption of the market-based
view. Cezar et al. (2014) study the case of outsourcing to a managed security service provider
(MSSP) of both prevention and detection contracts which might discourage the MSSP to per-
form the former. The alternative is to outsource each function to a different MSSP which
eliminates the benefits complementarity of these functions. They propose a substitute model
based on reward component plus penalty and fixed fee to alleviate the cybersecurity risks as-
sociated with outsourcing IT detection and prevention functions. Borg (2010) has identified
the following consequences on cyber supply chain due to cyberattacks: operations interrup-
tions, operations corruptions, operations discreditation, and operations loss. Pandey et al.
(2020) identify cybersecurity risks in global supply chains as ranging from piracy, vandal-
ism, sabotage, and riots arguing that external threat actors can procure support from insiders
by breaching security frameworks and providing password authentications for illicit actions.
They categorized SC risks into external risks, internal risks, and identified the following as cy-
ber risks as related to supply chains: partners trust, information theft, failure of IT equipment,
counterfeit product, product specification fraud, manipulation of data, poor cryptographic
decision, and poor protection in transit. Another major risk is the untrustworthiness of the
contractor. More specifically the suppliers’ risks identified relate to inaccessibility of suppli-
ers, theft of credentials, breach through the vendor network, and finally modification of the
code via malware injection. Such risks are added to the operational risks and the customers’
risks.
In summary, outsourcing strategies are a major source of cyber risks. This paper considers
the outsiders’ threats embedded in outsourcing strategies. When companies outsource IT or
other functions, they change their risk profile to assume the providers’ risks incorporated in
the extended supply chain along with the uncertainties and opacities that constitute an intrinsic
part of it. Research points that a client-provider trust relationship can improve the management
of cybersecurity risks in the supply chain and mitigate the risks in the outsourcing decision-
making process.

Academia Letters, November 2021 ©2021 by the author — Open Access — Distributed under CC BY 4.0

Corresponding Author: Micheline Al Harrack, [email protected]

Citation: Al Harrack, M. (2021). Cybersecurity Risks in Outsourcing Strategies. Academia Letters, Article
4161. https://doi.org/10.20935/AL4161.

4
References
[1] Buia, C., Heynning, C. & Lander, L. – 2018, August -The Risks and Rewards of Out-
sourcing - McKinsey & Company.

[2] Boyens, J., Paulsen, C., Bartol, N., Winkler, K. & Gimbi, J. – 2021, February – Key
Practices in Cyber Supply Chain Risk Management: Observations from Industry – https:/
/nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8276.pdf

[3] CISA – 2021, July 4 - CISA-FBI Guidance for MSPs and their Customers Affected by
the Kaseya VSA Supply-Chain Ransomware Attack- https://us-cert.cisa.gov/ncas/current-
activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa

[4] Barrett, B. – 2021, July 2 - A New Kind of Ransomware Tsunami Hits Hundreds of
Companies - A New Kind of Ransomware Tsunami Hits Hundreds of Companies | WIRED

[5] Mead, N., Allen, J., Conklin, W., Drommi, A., Harrisson, J., Ingalsbe, J., Rainey, J. &
Shoemaker, D. - 2009 - Making the Business Case for Software Assurance.- https://www.
academia.edu/49327508/Making_the_Business_Case_for_Software_Assurance

[6] Shao, B., & David, J. – 2007 - The impact of offshore outsourcing on IT workers in
developed countries. Communications of the ACM, 50(2), 89–94 - https://doi.org/10.1145/
1216016.1216026

[7] Lacity, Mary C. & Hirschheim, Rudy – 1993 - Information Systems Outsourcing - John
Wiley & Sons - ISBN-13: 978-0471938828

[8] Benaroch, M. – 2020, June - Cybersecurity Risk in IT Outsourcing—Challenges and

Emerging Realities - In book: Information Systems Outsourcing - DOI: 10.1007/978-3-
030-45819-5_13

[9] Benaroch, M. - 2019- IT Service Providers and Cybersecurity Risk - The Armed Forces
Comptroller, 64(4), 50–54.

[10] Cezar, A., Cavusoglu, H., & Raghunathan, S. - 2014 - Outsourcing Information Secu-
rity: Contracting Issues and Security Implications. Management Science, 60(3), 638–657.
https://doi.org/10.1287/mnsc.2013.1763

[11] Borg, S. - 2010 - Securing the Supply Chain for Electronic Equipment: A Strategy and
Framework - Internet Security Alliance, Arlington County

Academia Letters, November 2021 ©2021 by the author — Open Access — Distributed under CC BY 4.0

Corresponding Author: Micheline Al Harrack, [email protected]

Citation: Al Harrack, M. (2021). Cybersecurity Risks in Outsourcing Strategies. Academia Letters, Article
4161. https://doi.org/10.20935/AL4161.

5
[12] Shipra Pandey, Rajesh Kumar Singh, Angappa Gunasekaran, & Anjali Kaushik. - 2020
- Cyber security risks in globalized supply chains: conceptual framework - Strategic Out-
sourcing, 13(1), 103–128. - https://doi.org/10.1108/JGOSS-05-2019-0042

Academia Letters, November 2021 ©2021 by the author — Open Access — Distributed under CC BY 4.0

Corresponding Author: Micheline Al Harrack, [email protected]

Citation: Al Harrack, M. (2021). Cybersecurity Risks in Outsourcing Strategies. Academia Letters, Article
4161. https://doi.org/10.20935/AL4161.