With the rapid evolution of cloud based computing, many organizations face the fundamental question of whether or not they should employ third party solutions to facilitate convenience within their entity. As technology advances, the outsourcing possibilities seem endless. Everything from document collaboration, to payroll, data, and even entire applications and servers can now be managed off site, or in the cloud.
While outsourcing essential functions can provide convenience, the risk accompanying that convenience can not go unanalyzed. When organizations rely on a third party to host their data, or provide critical business functions, they are still responsible for a wide array of matters such as the security, availability, process, confidentiality, and even the privacy of what is hosted by the third party vendor. Furthermore, companies are still liable for any outsourced functions that may have an impact on their own financial statements. While choosing a third party vendor alleviates scores of strain for many companies, their hands are not entirely washed of the related functions. It is essential that business owners do their homework before any contract negotiations begin with a new vendor. Additionally, they should ensure that current vendors are meeting acceptable standards regarding the services they are providing. It is crucial to remember that a vendor's business practices become your business practices.
Life was simple when data was physically housed in your facility, accounting and customer relations functions were processed by your employees, and teams used flip charts and PowerPoint presentations to collaborate. Storing data in the cloud and outsourcing basic functions, such as accounting systems, payroll, and project collaboration, give organizations more flexibility and mobility, but makes data less secure.
Your vendor for any of these services must provide assurance that they are able to secure your data. Your data is only as safe as the vendor’s employees and processes make it. As you negotiate the initial contract, you must be certain that the vendor will be able to protect your data from security breaches, from internal mischief, and from process failure.
By availability, I mean the extent to which your data is available to you 24/7. The vendor must be able to protect your data from problems with their server and power outages, as well as from physical threats. Look for vendors that provide verifiable high availability systems, usually labeled “three nines” for providing system availability 99.9 percent of the time.
The banking industry learned a valuable lesson after Hurricane Sandy hit the northeast in October 2012. Jack Henry & Associates is an S&P 400 company that supports more than 11,000 financial institutions with core processing services. Its processing center in New Jersey was flooded during the storm and could not process banking services for more than 1,300 customers. The damage to Jack Henry’s facility had real and immediate consequences throughout the country. Banks using its services experienced significant delays processing checks and deposits, and some customers did not have access to their funds. Companies couldn’t transfer funds or make deposits to pay employees or vendors.
Ultimately, Jack Henry moved its processing functions to another center in Oklahoma, but not before the closure had a significant impact on its customers. The Office of the Comptroller of the Currency took disciplinary action against Jack Henry for failing to get the processing center up and running in a timely manner, and the company had to conduct a thorough review of its disaster response plans.
Ensuring the physical security of the processing facility and asking about disaster recovery plan were probably not primary considerations for banks negotiating contracts with Jack Henry prior to 2012. It probably is of greater concern now. Every business can learn from this extreme example of a server outage.
My point in telling you this story is twofold: even large companies have issues surrounding their ability to respond effectively to disasters and unforeseen problems, and your data and ability to function is directly related to your vendor’s procedures, quick response and advance planning.
In addition to physical security, of course, is the vulnerability of data transmitted over the Internet. Cyber security from internal and external threats is a growing concern for businesses everywhere. You must ensure that your vendors are doing their best to protect your data and your company.
You should be concerned with your vendor’s normal business processes. Question the vendor’s hiring and background check procedures to be sure the company is hiring reliable employees. Review the processes for changes requested by your company, including the process the vendor uses to grant access for your new employees. Also ask about the process for granting differing levels of access for members of your team. For example, would they allow access to accounts receivable for your accounts payable staff members if anyone from your company asked? Ask them how they determine who has the authority to request access or changes in access.
You require a certain level of trust and confidentiality with employees of your company. Ascertain the level of confidentiality your vendor demands of its employees. You wouldn’t want to outsource a payroll function without knowing the level of protection the vendor can provide. Ideally, you want the same level of confidentiality from your vendor that you expect from your own employees.
Privacy is a concern for any vendor with multiple customers. You want to ensure that your data is isolated from the data of other companies. You want your vendor to ensure that your data is discreet and that another customer cannot access it, accidentally or by design.
One final piece of advice is to consult legal counsel to determine who owns your data after it is transferred to an outside vendor. In most situations in the United States, you own the data regardless of where it is stored. Rules vary, however, in countries outside the U.S. Sometimes, determining the ownership and location of a company isn’t as straightforward as it could be.
A good place to start is to request a SOC report from a potential vendor. SOC 1 reports cover outsourced services that have an impact on the financial aspects of your company. SOC 2 reports address the issues I’ve discussed in this blog. These reports are one of the best ways to start researching potential vendors and oversee the work of current vendors. After all, you have outsourced the function, but the responsibility to oversee it is still yours.
For weekly insights from the Horne Cyber team, please sign up here: