A company’s every partner and every supplier could be the weak link in protecting the company’s data, as well as all its outsourcers, according to Harshul Joshi, director for IT Risk and Advisory Services for accounting-services provider CBIZ.

“There’s a lot of people coming in and out of your organization. There’s lots of links, like VPN links or leased lines between your organization and somebody else. You have your security and firewall in your front gate, but there are so many back ends and loopholes out there that can be used by your third-party vendors … We don’t think about all the ways our data can be compromised,” he said.

Even if you call to subscribe to Time magazine, your credit card number is on a tape of the transaction at a call center. And who knows how that tape is secured.

So if it’s tough to ride herd on all your own company’s employees, it’s a nightmare trying to keep tabs on all those workers that aren’t your own employees.

The problem could be as simple as using technology linking your payroll system to alert IT when a worker leaves the job, but that worker’s access isn’t terminated because he’s paid by a third-party agency, points out Ellen Libenson, Symark vice president of product management.

Work might be outsourced to a company that also outsources it and that company outsources it as well, explains Greg Bell, who leads KPMG’s Information Protection Practice.

“You may have four or five parties that touch or come in contact with your data that you don’t have a contractual relationship with. … Usually only after there’s an incident or an audit issue do people think about how they need to have a right to audit even though the data is processed by this third party now,” he said.

According to Ernst & Young's 11th global information security, 45 percent of global respondents said they make security requirements part of third-party contracts. At the same time, nearly one-third of respondents said they have no assessments in place to ensure that external partners, vendors and contractors protect their company data.

Through deregulation, Joshi explains, banks also can sell stocks, manage your 401(k) plan and offer you hedge funds. Through its links, if, say, its partner Fidelity suffers a breach, all the bank’s data could be compromised as well, he said.

And if he wanted to hack into Walmart’s systems, he wouldn’t go in through its Web site, where no doubt security is tight; he’d go in through the system of one of its suppliers in Vietnam, Romania or some other far-flung country, he says.

According to Mark McClain, CEO of identity governance provider SailPoint Technologies, HR and IT tend to see the situation differently: IT wants everyone involved to have access controls and security training, while HR doesn’t consider contractors and other outsiders as employees.

“A lot of companies are really wrestling with this. … With the shift to software-as-a-service and things like that, a lot of businesses are saying, ‘I need to know specifically who at your shop did this.’”

He says that in outsourcing, originally it was common for banks of people to use a common ID, making many actions untraceable. That wasn’t allowed in-house, and many companies aren’t allowing it anymore with outsourcers.

Meanwhile, the 2009 Security Mega Trends Survey considered outsourcing security one of the top 10 security issues for next year.