Outsourcing sensitive or mission-critical data without encrypting it first is like a bank opening a vault and handing out cash on the proviso it be returned in good nick.
Sensitive data is most vulnerable during application testing and development because it changes hands so many times.
Whether or not data disappears through a malicious or accidental act is beside the point. The fact that is exposed has to be addressed and not only for legal reasons.
Compuware Asia Pacific regional director of marketing, Peter Pritchard, said the more points of contact data has, the more files can be left exposed.
"If you intend to outsource application testing it can move from a contained secure environment in [your organization] to being left on an open server, say, in Bangalore," he said.
"The worthiness of a large organization is in the data, and not the applications – it is like a bank opening a vault and offering gold bars to anyone on the proviso they bring them back."
According to a study carried out by the Australian Information Industry Association, nearly one in six Australian organizations has outsourced an IT project or is deciding whether or not to do so.
More than half of those interviewed said they would offshore software development and 41 percent said they were considering offshoring software design.
IT security consultant and forensic expert Ajoy Ghosh said the whole application testing process is currently fraught with potential problems. "Encryption would stop someone intercepting the transfer of data but then the legitimate user needs to decrypt it and what happens at the other end?"
"An outsourcing provider has no way of knowing what they are dealing with is real data.
"I suggest companies create their own test data to give to an outsourcer or developer – the reason is because people are using test data simply because it is easy and no one has to create data that has been formatted correctly for realistic testing."
Peter Barta, principal of outsource consultancy the Everest Group, said he has seen examples of both, but outsourcing companies still hand over raw data, depending on its proprietary nature.
"Generic information may not need security controls but, for example, specialized work in a resources company that has data sent out to be modelled around reserves might need security," he said.