Data Security & Outsource Service Providers
Successful outsourcing requires successful risk management. Be sure your outsource services provider is doing everything possible to protect the security of your sensitive data.
Business process outsourcing (BPO) offers benefits in the way of cost savings, efficiency gains, and access to specialized knowledge and expertise. However, professional service providers such as CFO services, CPAs, human resources providers and investor relations consultants require access to sensitive data assets to function effectively. In evaluating outsource service providers, it is important to focus heavily on data security and to ensure that the providers’ solutions have security and risk mitigation built in at every level. Indeed, when selecting an executive service provider, data security should be considered a top priority along with other evaluative criteria such as cost or convenience.
Regulatory compliance is a major driver when it comes to the need for data risk mitigation. In recent years, fines and legal sanctions resulting from data breaches – or even the possibility of data breaches – have become more common and far more costly. Lost, leaked or stolen data costs firms and consumers billions of dollars annually. In addition to the financial liability, the PR impact can be enormous, leading to loss of confidence among clients, investors, and the general public.
With this in mind, it is imperative that language around security needs and expectations be prominent and explicit in all outsourcing contracts. Similar to contractual non-disclosure and confidentiality statements, the security terms should leave no gaps or ambiguities that would allow either party to make incorrect assumptions. Specific requirements as dictated by statute, compliance regulations, corporate governance policies, and risk-reduction best practices should be spelled out clearly and completely.
Guard your data assets
While BPO providers continue to address security challenges, it is incumbent on the enterprise executive responsible for the outsourcing partnership to conduct due diligence and maintain awareness about what the provider is doing to ensure data asset security. Some questions to ask include the following:
§ How and where are data files being maintained in terms of onsite, offsite and portable devices?
§ Who has access to the firm’s data assets?
§ What encryption protocol is being used to protect the data assets?
§ How, where and how often is the data being backed up?
§ What software is being used to manage and manipulate the data?
If the provider delivers services from the cloud, the due diligence should includes assurance around the security of the cloud solution.
New data security technologies
The explosion in the use of laptops, notebooks, notepads, smart phones and other mobile devices to conduct business presents special data security challenges. Fortunately, there are new technologies designed to address remote data security that can be built into outsourcing strategies. Some best practices for remote file storage, file sharing, backup and data protection include the following:
Remote wipe-out and device recovery
If a device containing data assets is hacked, stolen, lost or misplaced, the data can be remotely erased and then recovered from a remote server. In addition to wiping the data clean remotely, some services can and identify the IP address of the thief.
Continuous online backup
If a device containing sensitive data is lost, damaged or destroyed, or the data itself is compromised or corrupted, continuous online backup ensures that the data is regularly saved on a remote server or in the cloud. Multiple generations of the data can then be recovered.
Back up company data before disaster hits
A review of data security as it relates to working with BPO providers prompts a look at how you’re addressing your ongoing internal data security practices. What if all your company’s data - email, financial records, word documents, database contacts, accounting files, plus everything else on the computer system - were wiped out completely? What would it take to restore or recreate all that data from scratch? Regular data backups are essential to protect against data-loss catastrophe. The backup plan should address the following areas:
§ A precise description of the data to be backed up
§ The location for the backup
§ The frequency of backups
§ Regular testing of backup to ensure accurate restoration
§ The person responsible for backups
Among a firm’s most critical data assets are financial and accounting records, and they require the most frequent backup, preferably daily.
Contracting with outsource business services partners frequently brings with it the need to share highly confidential and proprietary data. Best data security practices suggest the working relationship and contract include the following guidelines:
§ The executive managing the outsource relationship should own the data security issue.
§ Query potential contractors on their data security practices and technology.
§ Request that contractors provide for backup and remote wipe-out if one of their devices is lost.
§ Include language in your contracts with outsourcers to address data security just as you would include language around fees, terms, deliverables and non-disclosure.
Maintaining a laser focus on data asset security is a key differentiator for premier BPOs such as CFO Edge. The use of best practices and cutting edge technology to provide best available data security and prevent catastrophic loss of data enables firms to align the cost-savings and efficiency benefits of outsourcing with responsibilities related to risk management and data asset security.