Keep your data safe while using outsourced paraplanners
Felcorp Team
December 5, 2022
While technology is revolutionizing how we work, especially for enabling virtual and remote working arrangements, the danger is now on companies with weaker security protections giving opportunity to the raft of cybercriminals targeting Australia.
The Australian Cyber Security Centre (ACSC) released a report in November 2022 detailing the scale of cyber related incidents for the 2022 financial year and their advice to mitigate cyber threats.
Their key findings:
- 76000 cyber crimes reported, 13% increase compared to previous year,
- Medium sized businesses (20 to 200 employees) reported highest average cybercrime cost at $89,000 per incident
- Financial services and insurance industry accounted for 4% of cyber crime reports
In Australia, we also saw an increase in the number and sophistication of cyber threats, making crimes like extortion, espionage, and fraud easier to replicate at a greater scale. The ACSC received over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. This equates to one report every 7 minutes, compared to every 8 minutes last financial year.
Outsourcing presents a unique set of challenges with data privacy and protection as one of the key concerns.
Australia is an attractive target for cybercriminals. Our widespread internet connectivity, per capita wealth, and investment structures—such as moveable superannuation accounts and widespread share ownership—are all powerful incentives for cybercriminals.
6 Ways to keep data secure when utilizing outsourcing services
Outsourcing presents a unique set of challenges with data privacy and protection as one of the key concerns.
Due to the nature of tasks commonly outsourced, outsource partners can handle sensitive consumer data such as financial information, id’s, superannuation and insurance. However, with the right offshoring partner, you can feel confident about your business data being safe with their documented data security protocols.
When evaluating an offshore outsourcing service, consider these crucial protections :
1. No work from home policy – Working from home arrangements is one of the quickest and easiest ways to compromise sensitive data. The biggest issue with this arrangement is that staff will inevitably start working in different places, at their friend’s home or even in public places. This significantly increases the risk of a cyber threat as management has no knowledge of the location of the device, who may be accessing it and whether the internet connectivity is secure.
A few years ago, an outsourcing provider had a security incident whereby a work-from-home employee was working in a busy café unbeknownst to the company. The employee had got up from the coffee table to go to the bathroom and left their computer at the table with the screen on and on a browser that had the company’s cloud file storage system. When the employee came back the computer was stolen.
Our advice:
Work from home arrangements is inherently risky as there is less management oversight. Many outsourcing companies employ this approach to save on office costs. We strongly believe this is a lazy and dangerous path to embark on as staff become complacent overtime and begin to test the limits of their freedoms which often increases cyber threats unnecessarily.
Ask the outsourcing provider whether they have a work-on-premises or work from-home policy. If they provide a home arrangement, get clear and detailed answers around how they specifically protect data.
2. USB and External ports disabled on Computer devices – Ensure that your outsourcing providers have USB and external ports disabled across the staff allocated to you. This step helps prevent any malware programs being externally programmed through the open ports in the computer.
Our advice:
USB and external storage ports should be disabled. There is really no need to have external ports accessible in computers. Large files can be easily shared through far more secure cloud file storage systems.
Ask the outsourcing provider whether they have USB and external storage ports disabled across all computer devices.
3. Secure Communication system – Email as a tool for communication is only acceptable if the content does not contain sensitive information, hence if the information was to be leaked, it’s not a major issue. To send across sensitive client information and documents, it is better to have a secure communication to carry out your day-to-day communication and task management.
By having a secure communication portal, they will almost always have stronger data security and privacy protection protocol built into the system compared to email servers. On top of this, you have the added benefits that these portals have full user access, audit logs and 2 factor authentication. Our
Advice:
When using email, it is important that there is a clear company-wide policy that states that email communication is to be used for matters that cannot specifically identify and one individual or send any sensitive information that can cause potential harm if it is in the wrong hands. It is also important that a secure communication and file storage system is enacted so that documents and sensitive information is not transported through email servers.
As an example, Felcorp uses email communication as an internal tool as well as with a handful of clients who prefer to communicate through email for convenience. In this case, we have a very clear company-wide policy stating that all sensitive information must be held in a secure cloud file storage (either Felcorp App or client’s preference) and that email can only be used to deliver information that cannot identify the client we are talking about or share any information that could be classified as sensitive if leaked.
Ask the outsourcing provider what communication and file storage systems they have. Also ask what their email communication policy is.
4. Internet Access & Network Risks – Internet security is often overlooked. With regards to working from home arrangements, this again makes the assessment of internet network risk more difficult when employees are granted this option as management will have no immediate notification or direct controls if there is a network attack or outage. While VPNs, firewalls and restricted internet access all help, the security of the internet network is arguably the most important factor to consider.
Our advice:
All computers should be connected to a secure and verifiable commercial internet network. While this would largely prohibit a work-from-home arrangement, it gives management more options to control internet access and therefore mitigate network cyber threats. We also recommend all computer devices have automatic VPN and firewall systems that cannot be switched off or altered.
Ask the outsourcing provider how their network is protected and what security protocols are in place for internet access and network risks.
5. Use of Password Management Software – Password management software is rapidly becoming a widespread commercial application. With providers such as LastPass leading the charge in cloud password storage, it is becoming easier to store and restrict access to passwords.
One of the keyways that LastPass provides enhanced security measures is that the password owner can hide their login and password credentials when sharing access. This means that when someone needs to access a locked site, the password owner can grant invisible access so that the login and passwords are automatically filled into the input fields without displaying any of the characters of login or password.
Our advice:
We strongly recommend the use of LastPass as the go-to password management software. They are large widely used company with many outsourcing providers (including Felcorp) regularly use.
Ask the outsourcing provider how they protect and share password and what software do they use.
6. Anti-virus detection and prevention systems – End-to-end cybersecurity programs are non-negotiable for all businesses. The level of protection and customisation that is afforded to the newer programs on the market such as BitDefender GravityZone is very high. With the ability to remotely shut down devices across the company network, automatically prevent and destroy malware threats, these systems can be incredibly effective if they are properly set up .
6. Anti-virus detection and prevention systems – End-to-end cybersecurity programs are non-negotiable for all businesses. The level of protection and customisation that is afforded to the newer programs on the market such as BitDefender GravityZone is very high. With the ability to remotely shut down devices across the company network, automatically prevent and destroy malware threats, these systems can be incredibly effective if they are properly set up .
The biggest issue we faced is that the set up and level of customization can make these systems incredibly finicky and frustrating to work. We resolved this issue by engaging with a cyber security consultant to help set this up. Further, we have instituted a policy to review our data security arrangements every 6 months.
Our advice: All outsourcing providers must have commercial grade end-to-end cybersecurity programs in place. On top of this, it should be professionally set up by a cybersecurity consulting firm or a managed IT service that also has the credentials and authority to provide cybersecurity reviews.
Always ask the outsourcing provider what cybersecurity software they use, how they have set it up and how often it is updated.
Want to know more about Felcorp's data security policy suite? Find out
more here.
Felcorp Support helps a local charity supporting children with cancer
Updates to our company policies as at 1 October 2024
Our simplified guide to understanding Felcorp's policies and procedures.
