It's interesting that the realization comes after the ink has started to dry on the proverbial paperwork.
As others have already pointed out, you have to choose what you are willing to put up with. No solution has zero issues or problems, just different ones.
In all cases, your risk of data/ip theft? Greater than zero. It will never be zero, short of you getting all copies and all peoples who have had contact with it and lock them in an underground room for all eternity.
* Presumably, you have some form of agreement(written contract) with the outsourced IT group. If you don't, you should _address_ that issue.
* You should have insurance for your company, so that in the event of fraud, theft, etc... and your business goes belly up, you have the means to cover your debts.
* You should be just as equally concerned about data loss as you are about data theft. Ie, make sure you have enough copies of your data/IP.
Regardless of whether you have in-house staff or outsourced staff, you should have some means of auditing your environment to address and reduce the risks involved. If nothing else, it will give you visibility into the types of areas of knowledge that someone other than your IT admin would know and be able to pick up the pieces should one of the problem scenarios appear.
Assuming you decide you are happy with your current support situation, get them to produce a human readable run-book for you, so that should they go out of business, bail, or otherwise default on the agreement, you will be able to bring someone in to take over. Schedule time for someone other than the primary support person to use the runbook to perform downtime/maintenance tasks/etc with the runbook. If there are any issues or problems, have the outsourcing company update it. Make it part of the understood and written agreement. You want to be able to rebuild, in the case of any failures.
Quick summary:
- validate/verify terms of agreement with existing IT support partner
- affirm creation of run-book with support partner and verify that it is valid and up to date with regularly scheduled DR/maintenance tasks
- have an on-site "intern" learn the tasks and serve as your in-house backup IT resource. Presumably, this person can also do double duty, if they happen to be a coder/content developer/PM with prior admin experience, etc. That person is your plan "B". This makes the runbook that much more important.
- NDA(s) and the legal expertise on retainer will help alot in terms of enforcement and collection on damages, but it will not prevent theft.
- Know what your company's plan "B" is in case of theft. Should you be segregating your information? Should you be encrypting your communication? Is the fact that some of your coders are bringing in USB flash devices and bringing work home a problem in your mind in relation to remote IT support?
There are plenty of issues and potential areas for IP theft/leak/sabotage to occur.
Legal agreements will help you when dealing with another company entity, but those legal agreements will do precious little if the theft/release of your IP causes your business to go down the drain.