5 key ways to protect data being outsourced
In today’s connected age, data is currency. And for some companies, proprietary information is at the crux of their operations. But like all valuable company assets, data and information are also a target for malicious cyber activity — and an especially vulnerable one when entrusted to a third-party Business Processing Outsourcing (BPO) company.
Outsourcing data offers many efficiency advantages. But stakeholder companies also have many reasons to be concerned — 1,093 to be exact. That’s the number of data breaches that occurred in 2016, representing a new record and a 40 percent increase over the previous year, per the Identity Theft Resource Center.
Data breaches within a BPO can wreak havoc on a company’s data while the process of a forensic investigation into the BPO for any reason can throw a wrench into its operations. That’s why having established governance principles, especially when storing your data in a BPO, is vital should your company find itself on either side of an investigation.
Dark Secrets Emerge
It’s not uncommon for stakeholder companies to become entangled in an investigation without having committed any wrong-doing.
Such was the case when FTI was engaged by a commissioner in the Philippines to assist in an investigation. A leading commercial real estate company (CRE) in New York had alleged that its data was being siphoned by a competing business through an offshore BPO company. Computer forensics experts assisted in uncovering something far more sinister: Digital evidence of fraud and proof that a classified ad site was working with the BPO company to solicit sex trade business overseas.
The BPO company’s entire business came to a screeching halt once they found themselves in the crosshairs of the court-ordered raid. A veritable army of a court-appointed commissioner, sheriffs, lawyers, armed guards and FTI’s computer forensics experts stormed the BPO’s facilities and seized hundreds of computers containing terabytes of data.
Meanwhile, the investigation turned up manuals, procedures, schedules of work and invoices, pirating software, virtual private networks and documents showing how the BPO stole the CRE company’s data.
Companies that find themselves engulfed in an investigation due to a negligent or fraudulent BPO can always take reactionary measures. However, having a contingency plan that mitigates the need for an investigation in the first place is better practice. You don’t want to be caught sleeping at the wheel in these situations. With established governance principals, companies can quickly react, adapt, and resume their work with minimal operational slowdown.
Here are five ways your company can protect its data while working with a BPO and avoid the burdens of an investigation:
1. Know Your BPO
If your company uses a BPO, perform regular audits to ensure it is not engaging in any illegal activity. Due diligence will go far in determining if there had been previous issues within their human resource, facility, or network securities. In the case of the CRE company, FTI found that their competition was using the BPO company to steal their intellectual property.
2. Keep Your Data Separate
After the BPO company was raided, hundreds of computers and other devices were seized from the facility. Make sure there is stipulation in the contract with your BPO that segregates your data from their other client’s. That way, during an investigation, your data will remain safe and accessible — especially if the BPO is found to be an accomplice in criminal activities for another client.
3. Pinpoint Your Information
Know the location of all your data. The forensic investigation process is exhaustive and all parties must be accounted for. If you are served a search warrant, and you can locate exactly where the relevant data is stored, you may be able to hand over the precise files, computers, and servers. Doing so will help your company avoid surrendering all its hardware which will grind operations to a hard stop.
4. Diversify Your Storage
Typically, search warrants only cover devices at a given location. Therefore, it’s a good idea to maintain comprehensive off-site data backup to ensure your business is still standing while the investigation proceeds. Another method might be migrating your corporate data to the cloud to ensure it is not only accessible but can be frequently supervised.
5. Be Proactive, Not Reactive
Conduct regular cyber risk and information governance reviews to mitigate the risk of data theft. Having a routine where security systems are stress-tested will not only ensure a more robust system, but allow your team to develop a protocol should any event arise. Where appropriate, seek independent, external advice, as a third party’s insights could be a major asset in governing your company data.