losing sight of control to data security by handing it over to an outside service provider. Companies nowadays use remote access, wireless technology, and social media to share data. As the network becomes widely distributed with the increase use of these tools, the risk to security breaches also upsurges. If these are not handled properly, your firm will become vulnerable to threats and disruptions. Corporate Intrusion Just recently, American multinational bank JPMorgan Chase & Co faced a cyber-attack that is believed to have exposed names, addresses, phone numbers and email addresses of the holders of some 83 million accounts, making it one of the largest data breaches in history. The New York Times reported that the bank failed to do a basic data security measure to prevent this: a multi-factor authentication scheme called the two-factor double authentication, which provides unambiguous identification of users by means of the combination of two different components e.g., something that the user knows, something that the user possesses or something that is inseparable from the user. Most big banks require a second one-time password to gain access to a protected system. What made left the bank vulnerable to this intrusion is the fact that JPMorgan’s security team had overlooked to upgrade one of its network servers with the dual password scheme, according to the people briefed on the matter. Even worse, it took some time before JPMorgan addressed the issue even after discovering earlier that hackers have stolen the login credentials of an employee. Improving Data Security While these hackers did manage to gain high-level access to more than 90 bank servers, they were seized before they could further steal private customer financial information. JPMorgan has now set up a “business control group” of about a dozen technology and cybersecurity executives to assess the fallout and to prevent hackers from breaching its network in the future. The group has been holding meetings once every few weeks. When you decide to outsource critical business processes to a third-party service provider, part of the outsourcing agreement is the risk mitigation strategy in the Business Continuity & Disaster Recovery Plan of the company. You and your outsourcing vendor actually share responsibility of risk management. Most service providers have invested significantly in technology to manage data security so you can be sure that they will work on minimising the likelihood and impact of possible interruptions. In addition, consider these tips when outsourcing business processes to a third-party service provider:
- Define governance structure – Before entering an outsourcing agreement, your firm should form a consistent and stable governance team who will manage each phase of the outsourcing relationship.
- Require transparency – The agreement should require that the vendor provides transparency in the security policies that they follow and evaluate it regularly.
- Enforce compliance – Companies should express clearly the importance of compliance with internal, regulatory or industry practices. Adhere to the principle of least privilege as a guide.
- Maintain open communication – Your firm must demand an immediate notification in the event of a suspected breach in order to address it right away.
- Insist in post-mortem analysis – Your firm must urge the provider to perform or, at least, assist in coming up with a post-mortem root cause analysis of each factor that contributed to a lapse in security, should it occur.