menu close
  • Back

As we emerge from the COVID-19 pandemic, we’re seeing an increase in organisations focussing in on their core business and outsourcing the processes that are critical and important, but not core to their operations.

In fact, most business leaders intuitively understand how business process optimisation (BPO) can support them in streamlining their operations and freeing up time and resources for higher priority activities.

Yet, when many begin to explore actually implementing a BPO strategy, the fear of trusting someone else with their customer and financial data prevents them from developing and deploying a business process optimisation strategy.

But is BPO inherently unsafe from a data security perspective? And if it isn’t—as we’ll argue in this article—what questions should organisations ask potential partners to help validate that their data will remain secure?

A BPO use case: Digitising insurance forms

When understanding the data security risk involved in BPO outsourcing, it can be helpful to walk through an actual use case. As an example, take the digitisation of insurance forms.

Canon Business Services ANZ (CBS) currently supports an insurance client with this type of process, which involves lifting member data off of insurance forms and sending it to the client’s claims system to be approved or denied.

As automating this process involves capturing personally identifiable information (PII), data protection and information security issues obviously come into play—not to mention regulations like GDPR. If you’re a company currently doing this type of work in-house, it’s easy to see how the compliance requirements associated with outsourcing it might feel like too much of a headache to move forward.

But actually, partners like CBS are well positioned to help customers through that process. Because we’re doing this every day, we have all the required elements in place—including real-time replications, data backups, compliance certificates, and other protections—to manage the process securely.

8 Qualifying questions to ask potential partners

To understand whether the partner you’re considering is similarly well-prepared to protect your data, start by asking the following eight qualifying questions:

Question #1: Does the partner have an information security team in place?

Often, when we work with customers, they have a risk and compliance team—or even just an IT team—that comes in to ensure data will be protected and that we aren’t opening them up to any unnecessary risk. That’s why we have our own information security team in place who can work with customers and either answer their questions or complete their security questionnaire.

Any partner you’re evaluating should be able to tell you how they’ve handled similar situations in the past. If they can’t, consider that to be a red flag.

Question #2: Where will my data be stored?

Whether your data is stored on-site or off-site, your partner should be able to explain to you the access and security controls that are in place to protect the facilities housing your information—as well as whether or not they’re compliant with standards such as the Protective Service Manual (PSM), Protective Security Framework (PSPF), and Information Security Manual (ISM).

Other important physical security features to look for include the use of least-access-possible policies to limit staff access to secure zones and the use of monitoring solutions that enable you to verify that access policies are being enforced.

Question #3: What accreditations does the partner hold?

Evaluating partner accreditations can be challenging. Because common standards—such as those published by ISO—are updated regularly, partners need to be compliant not just with particular standards, but also with the most recent version of each standard.

For this reason, it’s a good idea to ask potential partners to confirm which versions they are compliant with, as well as whether their most recent audit identified any major or minor non-conformances.

Question #4: What encryption standards does the partner use?

As with accreditations, encryption standards are constantly being updated to address emerging threats. CBS implements industry-standard encryption and cryptography commensurate with the threat landscape. As threats continue to emerge and evolve, our team executes processes to update our protocols so that our operations remain as secure as possible

Question #5: Which frameworks or standards are the partner’s services compliant with?

Whether or not your organisation operates in a regulated industry, it can be helpful to know which frameworks or standards each partner’s services are compliant with. A rigorous approach to compliance often reflects work done to meet the requirements of top-tier customers in highly regulated markets.

As an example, although CBS is not yet an APRA-regulated entity, we have built our practice to support APRA-regulated customers and their duties under CPS235. The steps we’ve taken to ensure compliance in this area benefit all of our BPO customers—regardless of whether they’re subject to the same requirements.

Question #6: Does the partner have a documented information security management system (ISMS) framework with specific objectives?

Specifically, look for evidence of documentation that:

Provides for the protection of sensitive information in storage, processing, and transmission
Is deployed across all areas of the partner’s business, including its supply chain
Ensures practices are repeatable, continuously improved, and audited by independent third-parties
Includes provisions to support the evolving security and privacy requirements of customers and regulators
Defines protocols for investigating and reporting suspected weaknesses or confirmed breaches

Question #7: How does the partner handle disaster recovery (DR) and business continuity planning (BCP)?

If your BPO partner’s infrastructure is compromised, the impact to your operations could be significant. Any reputable provider should be able to define their disaster recovery (DR) and business continuity plans (BCP) plans for you, including where backups and replications are hosted and how quickly they can be deployed in the event of an incident.

Question #8: What steps does the partner take to stay current with changing data security best practices?

Finally, bear in mind that any partner’s security posture is point-in-time. If they aren’t keeping up with new developments and changing best practices, they could put your data at risk.

Potential steps to look for include subscribing to security news subscriptions, maintaining a PCI or ISACA membership, and conducting monthly reviews or updates of existing practices. Partners who regularly complete client security questionnaires also have an advantage, as responding to their prompts acts as a forcing function for partners to stay up-to-date.

Don’t let data security concerns stop your BPO implementation

Many of our customers with data security concerns come to take comfort in the fact that BPO is quite normal these days. Big businesses within Australia and globally are increasingly leveraging BPO—and that means that all of the compliance boxes they require have already been ticked for you.

As you move forward, however, make it a priority to not just choose a vendor. Look for a true partner who can be with you for the long haul, who can act in your best interests in an advisory capacity, and who can take the pressure off your team when it comes to meeting compliance standards and regulations.

At CBS, we understand that information security is vital for our customers—and that, in the current climate, it has never been so visible across a business. For us, our customers’ information security is as important as the delivery of our BPO services themselves, which is why we’ve come to be trusted by organisations like Australia’s four big banks. If we can earn their trust, we can surely earn yours.

To learn more about how we support data security throughout our BPO implementations, get in touch with our expert team.

Similar Articles

VIEW ALL

Reduce risk while speeding up time-to-value with BPA

Business process automation (BPA) doesn’t have to be inherently risky. Here’s how to reduce risk while also speeding up your time-to-value with BPA.

Don’t Wait for an APRA Penalty to Improve Cloud Security Capabilities

Investing in your cloud security capabilities may not seem like a top priority, but it could put your company at risk. Read on to see why you can't afford to wait.

Driving growth and scale with business process automation.

Business process automation isn't just about efficiency. Read on to learn how developing a BPA strategy can help drive growth and scale at your company.

Predicting the core focus of IT leaders over the next 3 years

IT leaders have faced unprecedented challenges in recent years. But what comes next? See predictions for the next 3 years from Canon Business Services.

IT support services aren’t your core business, so stop doing it

If IT support services aren’t your business, why are you providing them in-house? Read on for how your company can answer this critical question.