The recent WannaCry ransomware attack has reminded all enterprises that they need to be vigilant about cyber security and in this case, company data is at risk.
The first infection struck on May 12, infecting Britain’s National Health Service and Spanish telco, Telefonica’s computers. Over 300,000 machines had since been infected in 150 countries. In Singapore, electronic signboards in several malls were compromised though critical information infrastructure remained unaffected so far.
Once infected, the malware encrypts files on the computer. It posts a message demanding payment to decrypt these files, threatening to wipe out your precious data if it does not get paid, complete with a timer to pile on the pressure to comply.
This episode has brought to the forefront the importance of cyber security in running a business today. Companies need to tighten up their internal data security measures, but this only mitigates the risk of attack to some extent since organisations operate with a spectrum of external parties, such as customers, suppliers and vendors.
Many even outsource non-core functions to Business Process Services (BPS) providers to reap the benefits of reduced costs, improved productivity and gain expertise.
This leaves open a vulnerability organisations need to address. Those working with BPS providers need to examine the robustness of the safeguards their partners have in place. Physical security, network security and manpower security are three important angles to check.
Physical security refers to measures ensuring that building facilities are protected from unauthorised entry. The offices of the BPS providers should have access controls, such as biometric or card-access entrance systems, logging of visitors and require visitors to be accompanied by authorised personnel within the premises. Cameras and security guards act as additional layers of assurance.
The flow of information across computer networks has been a boon for corporations but is also an Achilles heel. How can information be kept secure without impeding business performance?
Firewalls and intrusion detection systems are some of the technologies used to prevent malicious access and penetration into computer systems. In addition, segregation of data, equipment and infrastructure and password controls such as multi-factor authentication for sensitive information prevent failures. Check that your BPS provider adheres to industry security standards.
People security is potentially the most critical and yet most difficult aspect to control. While investments can be made to put in place physical and network security systems, technology can only go so far in preventing cyber-attacks. The WannaCry attack precisely illustrates this - it was a computer user who opened an email attachment that allowed WannaCry into the system.
To mitigate manpower risk, well-established BPS providers have the capabilities to include employment reference and criminal background checks in their hiring processes as necessary. If sensitive information is involved in the work they do, background checks can drill deeper, encompassing credit checks and verifying academic credentials.
However, even the verified employee can fall prey to tricks employed by hackers. Here, training on information security policies and procedures will make the critical difference on whether that employee clicks on a malicious attachment or visit the unsecured web page. At KellyOCG, we adopt a continuous approach to such training to ensure our staff are updated on the latest measures and are constantly reminded of the need for vigilance.
People risk must be managed since organisations depend on its people for its success. This is true also for your BPS provider, who recruit, motivate and retain its talent so that it can deliver top-notch work to you. The partner is also conscientious in ensuring your information and networks remain secured. Your prospective BPS provider must be able to thoroughly explain its process to protect your information and have a comprehensive plan to not just fulfil your business requirements but meet your security needs.