Entrusting your company’s data to a BPO? Make sure they’re not involved in any nefarious activities…
n today’s connected age, data is currency. And for some companies, proprietary information is at the crux of their operations. But like all valuable company assets, data and information are also a target for malicious cyber activity — and an especially vulnerable one when entrusted to a third-party Business Processing Outsourcing (BPO) company.
Outsourcing data offers many efficiency advantages. But stakeholder companies also have many reasons to be concerned — 1,093 to be exact. That’s the number of data breaches that occurred in 2016, representing a new record and a 40 percent increase over the previous year, per the Identity Theft Resource Center.
Data breaches within a BPO can wreak havoc on a company’s data while the process of a forensic investigation into the BPO for any reason can throw a wrench into its operations. Additionally, firms are at risk of significant reputational and enterprise value damage as a result of a data breach. That’s why having established governance principles and a proactive risk mitigation strategy, especially when storing your data in a BPO, is vital should your company find itself on either side of an investigation.
It’s not uncommon for a stakeholder company to be adversely affected by an investigation that involves a BPO even when the stakeholder has committed no wrongdoing. Such was the case when FTI Consulting was engaged by a commissioner in the Philippines recently to assist in an investigation.
A leading Commercial Real Estate (CRE) information firm in New York had alleged that its data was being siphoned off by a competing business through an offshore BPO company. During investigations, FTI Consulting’s computer forensics experts helped uncover something far more sinister: Digital evidence of fraud and proof that a classified ad site was working with the BPO company to solicit sex trade business overseas.
The BPO company’s entire business came to a screeching halt once they found themselves in the crosshairs of the court-ordered raid. A veritable army of a court-appointed commissioner, sheriffs, lawyers, armed guards and FTI Consulting's computer forensics experts stormed the BPO’s facilities and seized hundreds of computers containing terabytes of data. Meanwhile, FTI Consulting turned up manuals, procedures, schedules of work and invoices, pirating software, virtual private networks and documents showing how the BPO stole the CRE company’s data.
Companies that find themselves engulfed in an investigation due to a negligent or fraudulent BPO can always take reactionary measures. However, having a contingency plan that mitigates the need for an investigation in the first place is better practice. You don’t want to be caught sleeping at the wheel in these situations. With established governance principals, companies can quickly react, adapt and resume their work with minimal operational slowdown.
Here are five ways your company can protect its data while working with a BPO and avoid the burdens of an investigation:
If your company uses a BPO, perform regular audits to ensure it is not engaging in any illegal activity. Due diligence will go far in determining if there had been previous issues within their human resource, facility, or network securities. In the case of the CRE company, FTI found that their competition was using the BPO company to steal their intellectual property.
After the BPO company was raided, hundreds of computers and other devices were seized from the facility. Make sure there is stipulation in the contract with your BPO that segregates your data from their other client’s. That way, during an investigation, your data will remain safe and accessible — especially if the BPO is found to be an accomplice in criminal activities for another client.
Know the location of all your data. The forensic investigation process is exhaustive and all parties must be accounted for. If you are served a search warrant, and you can locate exactly where the relevant data is stored, you may be able to hand over the precise files, computers, and servers. Doing so will help your company avoid surrendering all its hardware which will grind operations to a hard stop.
Typically, search warrants only cover devices at a given location. Therefore, it’s a good idea to maintain comprehensive off-site data backup to ensure your business is still standing while the investigation proceeds. Another method might be migrating your corporate data to the cloud to ensure it is not only accessible but can be frequently supervised.
Conduct regular cyber risk and information governance reviews to mitigate the risk of data theft. Having a routine where security systems are stress-tested will not only ensure a more robust system, but allow your team to develop a protocol should any event arise. Where appropriate, seek independent, external advice, as a third party’s insights could be a major asset in governing your company data.