As we emerge from the COVID-19 pandemic, we’re seeing an increase in organisations focussing in on their core business and outsourcing the processes that are critical and important, but not core to their operations.
In fact, most business leaders intuitively understand how business process optimisation (BPO) can support them in streamlining their operations and freeing up time and resources for higher priority activities.
Yet, when many begin to explore actually implementing a BPO strategy, the fear of trusting someone else with their customer and financial data prevents them from developing and deploying a business process optimisation strategy.
But is BPO inherently unsafe from a data security perspective? And if it isn’t—as we’ll argue in this article—what questions should organisations ask potential partners to help validate that their data will remain secure?
Canon Business Services ANZ (CBS) currently supports an insurance client with this type of process, which involves lifting member data off of insurance forms and sending it to the client’s claims system to be approved or denied.
As automating this process involves capturing personally identifiable information (PII), data protection and information security issues obviously come into play—not to mention regulations like GDPR. If you’re a company currently doing this type of work in-house, it’s easy to see how the compliance requirements associated with outsourcing it might feel like too much of a headache to move forward.
But actually, partners like CBS are well positioned to help customers through that process. Because we’re doing this every day, we have all the required elements in place—including real-time replications, data backups, compliance certificates, and other protections—to manage the process securely.
To understand whether the partner you’re considering is similarly well-prepared to protect your data, start by asking the following eight qualifying questions:
Often, when we work with customers, they have a risk and compliance team—or even just an IT team—that comes in to ensure data will be protected and that we aren’t opening them up to any unnecessary risk. That’s why we have our own information security team in place who can work with customers and either answer their questions or complete their security questionnaire.
Any partner you’re evaluating should be able to tell you how they’ve handled similar situations in the past. If they can’t, consider that to be a red flag.
Whether your data is stored on-site or off-site, your partner should be able to explain to you the access and security controls that are in place to protect the facilities housing your information—as well as whether or not they’re compliant with standards such as the Protective Service Manual (PSM), Protective Security Framework (PSPF), and Information Security Manual (ISM).
Other important physical security features to look for include the use of least-access-possible policies to limit staff access to secure zones and the use of monitoring solutions that enable you to verify that access policies are being enforced.
Evaluating partner accreditations can be challenging. Because common standards—such as those published by ISO—are updated regularly, partners need to be compliant not just with particular standards, but also with the most recent version of each standard.
For this reason, it’s a good idea to ask potential partners to confirm which versions they are compliant with, as well as whether their most recent audit identified any major or minor non-conformances.
Talk to us today to optimise your operations.Contact Us
As with accreditations, encryption standards are constantly being updated to address emerging threats. CBS implements industry-standard encryption and cryptography commensurate with the threat landscape. As threats continue to emerge and evolve, our team executes processes to update our protocols so that our operations remain as secure as possible
Whether or not your organisation operates in a regulated industry, it can be helpful to know which frameworks or standards each partner’s services are compliant with. A rigorous approach to compliance often reflects work done to meet the requirements of top-tier customers in highly regulated markets.
As an example, although CBS is not yet an APRA-regulated entity, we have built our practice to support APRA-regulated customers and their duties under CPS235. The steps we’ve taken to ensure compliance in this area benefit all of our BPO customers—regardless of whether they’re subject to the same requirements.
Specifically, look for evidence of documentation that:
• Provides for the protection of sensitive information in storage, processing, and transmission
• Is deployed across all areas of the partner’s business, including its supply chain
• Ensures practices are repeatable, continuously improved, and audited by independent third-parties
• Includes provisions to support the evolving security and privacy requirements of customers and regulators
• Defines protocols for investigating and reporting suspected weaknesses or confirmed breaches
If your BPO partner’s infrastructure is compromised, the impact to your operations could be significant. Any reputable provider should be able to define their disaster recovery (DR) and business continuity plans (BCP) plans for you, including where backups and replications are hosted and how quickly they can be deployed in the event of an incident.
Finally, bear in mind that any partner’s security posture is point-in-time. If they aren’t keeping up with new developments and changing best practices, they could put your data at risk.
Potential steps to look for include subscribing to security news subscriptions, maintaining a PCI or ISACA membership, and conducting monthly reviews or updates of existing practices. Partners who regularly complete client security questionnaires also have an advantage, as responding to their prompts acts as a forcing function for partners to stay up-to-date.
Many of our customers with data security concerns come to take comfort in the fact that BPO is quite normal these days. Big businesses within Australia and globally are increasingly leveraging BPO—and that means that all of the compliance boxes they require have already been ticked for you.
As you move forward, however, make it a priority to not just choose a vendor. Look for a true partner who can be with you for the long haul, who can act in your best interests in an advisory capacity, and who can take the pressure off your team when it comes to meeting compliance standards and regulations.
At CBS, we understand that information security is vital for our customers—and that, in the current climate, it has never been so visible across a business. For us, our customers’ information security is as important as the delivery of our BPO services themselves, which is why we’ve come to be trusted by organisations like Australia’s four big banks. If we can earn their trust, we can surely earn yours.
To learn more about how we support data security throughout our BPO implementations, get in touch with our expert team.