Offshoring firm’s eye on cyber-secure data

Business process outsourcing is all about controlling costs and boosting productivity by tapping into the global labour market, but all of that rests on a bedrock of security.

For Acquire BPO chief technology officer Andy King, there is one key aspect of security that is non-negotiable.

‘‘You can have as many business processes as you like, and firewalls and routers and antivirus software, but the fundamental is ‘don’t disclose what you don’t have to’,’’ he says.

Outsourcing firms like Acquire have to jump through plenty of hoops to demonstrate their data security bona fides.

The first hoop is the legal requirements in the countries the business spans, including Australia and the US (most of Acquire’s clients are headquartered in these countries), and the Philippines and Dominican Republic (where staff are performing a variety of functions in their delivery centres).

Those laws include data privacy acts in the Philippines, Australia, and the General Data Protection Regulation (GDPR) that will come into force in the European Union (EU) in May.

They include compulsory disclosure laws, already in place in many countries, as well as a number of US states that enforce transparency when there is a security breach and personal information escapes into the wild.

In Australia, a Notifiable Data Breaches (NDB) scheme will apply from February 22, 2018.

Then there are industry recognised standards like Payment Card Industry Data Security Standard (PCI DSS) and SOC (Service Organisation Control) 2, developed by the American Institute of Certified Public Accountants (AICPA) and covering security, availability, processing integrity, confidentiality and privacy.

‘‘If you are going to do business with publicly listed companies in the US they are looking at the SOC 2 standards,’’ King says.

He adds that about half of Acquire’s customers handle credit card information, and look to PCI certification to manage their risk.

‘‘That means a full certification audit across all aspects of your operation including HR and background checking – to your technology, your process and governance, risk management within the organisation. Ultimately this leads to a very simple black-and-white pass or fail.’’

The outsourcing firm has to ensure that the entire operation complies with the highest standard in any of the jurisdictions within its footprint, and that includes laws concerning areas as diverse as medical records, financial services, health insurance and credit card data.

‘‘That’s a big administrative challenge but it ensures that outsourcing goes ‘above and beyond’ when it comes to compliance, King says.

Even so, data security is more than just acquiring certificates and favourable audit reports.

‘‘The thing that we’re trying to avoid is disclosure of information that is outside of what’s necessary to complete the business process,’’ King says. A big part of that process is managing the interface between Acquire’s clients and the agents servicing their customers in another country.

Acquire connects directly to the business systems of its customers, so restricting access to the information they hold is critical.

‘‘With a lot of old software, you used to log into it if you were the customer service agent and you could see everything, absolutely everything,’’ King says.

‘‘Most of that is actually not necessary, so we encourage them to close all that down, mask as much of that data as they possibly can, and only display what they absolutely need to.

‘‘Acquire encourages businesses to keep all their information contained within their enterprise system – so no Excel spreadsheets, no data dumps, no PDF documents full of information. Keep these things within the business system, avoiding aggregation of data. Don’t create lists of customers.’’

At the other end, King says the work process should allow the agents to see only the information that applies to the query being processed. ‘‘The way our infrastructure is designed, an individual agent or PC can only be connected to one customer at a time – we can’t connect multiple customers.’’ And in order to eliminate any competitive conflict, agents are not allowed to service more than one of Acquire’s clients. There’s more to security than keeping data safe, of course. For firms that move a big chunk of their operation offshore, where adverse experiences can affect the brand and share price, reliable delivery of the service is critical. ‘‘That’s what our technology is designed to do. It’s fundamental to our business,’’ King says. ‘‘We do it by building the same type of network that you would build here in Australia into, for example, the Philippines. ‘‘If you are a large enterprise, you go with two telcos and you run two data centres.’’ King says Acquire does not send its data abroad through the internet. ‘‘Instead, it leases dedicated capacity on submarine cables the same way the biggest global corporations do. ‘‘Our network has the same level of survivability as the big Tier 1 telcos,’’ King says.