menu close
  • Back

As we emerge from the COVID-19 pandemic, we’re seeing an increase in organisations focussing in on their core business and outsourcing the processes that are critical and important, but not core to their operations.

In fact, most business leaders intuitively understand how business process optimisation (BPO) can support them in streamlining their operations and freeing up time and resources for higher priority activities.

Yet, when many begin to explore actually implementing a BPO strategy, the fear of trusting someone else with their customer and financial data prevents them from developing and deploying a business process optimisation strategy.

But is BPO inherently unsafe from a data security perspective? And if it isn’t—as we’ll argue in this article—what questions should organisations ask potential partners to help validate that their data will remain secure?

A BPO use case: Digitising insurance forms

When understanding the data security risk involved in BPO outsourcing, it can be helpful to walk through an actual use case. As an example, take the digitisation of insurance forms.

Canon Business Services ANZ (CBS) currently supports an insurance client with this type of process, which involves lifting member data off of insurance forms and sending it to the client’s claims system to be approved or denied.

As automating this process involves capturing personally identifiable information (PII), data protection and information security issues obviously come into play—not to mention regulations like GDPR. If you’re a company currently doing this type of work in-house, it’s easy to see how the compliance requirements associated with outsourcing it might feel like too much of a headache to move forward.

But actually, partners like CBS are well positioned to help customers through that process. Because we’re doing this every day, we have all the required elements in place—including real-time replications, data backups, compliance certificates, and other protections—to manage the process securely.

8 Qualifying questions to ask potential partners

To understand whether the partner you’re considering is similarly well-prepared to protect your data, start by asking the following eight qualifying questions:

Question #1: Does the partner have an information security team in place?

Often, when we work with customers, they have a risk and compliance team—or even just an IT team—that comes in to ensure data will be protected and that we aren’t opening them up to any unnecessary risk. That’s why we have our own information security team in place who can work with customers and either answer their questions or complete their security questionnaire.

Any partner you’re evaluating should be able to tell you how they’ve handled similar situations in the past. If they can’t, consider that to be a red flag.

Question #2: Where will my data be stored?

Whether your data is stored on-site or off-site, your partner should be able to explain to you the access and security controls that are in place to protect the facilities housing your information—as well as whether or not they’re compliant with standards such as the Protective Service Manual (PSM), Protective Security Framework (PSPF), and Information Security Manual (ISM).

Other important physical security features to look for include the use of least-access-possible policies to limit staff access to secure zones and the use of monitoring solutions that enable you to verify that access policies are being enforced.

Question #3: What accreditations does the partner hold?

Evaluating partner accreditations can be challenging. Because common standards—such as those published by ISO—are updated regularly, partners need to be compliant not just with particular standards, but also with the most recent version of each standard.

For this reason, it’s a good idea to ask potential partners to confirm which versions they are compliant with, as well as whether their most recent audit identified any major or minor non-conformances.

Get in touch

Talk to us today to optimise your operations.

Contact Us

Question #4: What encryption standards does the partner use?

As with accreditations, encryption standards are constantly being updated to address emerging threats. CBS implements industry-standard encryption and cryptography commensurate with the threat landscape. As threats continue to emerge and evolve, our team executes processes to update our protocols so that our operations remain as secure as possible

Question #5: Which frameworks or standards are the partner’s services compliant with?

Whether or not your organisation operates in a regulated industry, it can be helpful to know which frameworks or standards each partner’s services are compliant with. A rigorous approach to compliance often reflects work done to meet the requirements of top-tier customers in highly regulated markets.

As an example, although CBS is not yet an APRA-regulated entity, we have built our practice to support APRA-regulated customers and their duties under CPS235. The steps we’ve taken to ensure compliance in this area benefit all of our BPO customers—regardless of whether they’re subject to the same requirements.

Question #6: Does the partner have a documented information security management system (ISMS) framework with specific objectives?

Specifically, look for evidence of documentation that:

Provides for the protection of sensitive information in storage, processing, and transmission
Is deployed across all areas of the partner’s business, including its supply chain
Ensures practices are repeatable, continuously improved, and audited by independent third-parties
Includes provisions to support the evolving security and privacy requirements of customers and regulators
Defines protocols for investigating and reporting suspected weaknesses or confirmed breaches

Question #7: How does the partner handle disaster recovery (DR) and business continuity planning (BCP)?

If your BPO partner’s infrastructure is compromised, the impact to your operations could be significant. Any reputable provider should be able to define their disaster recovery (DR) and business continuity plans (BCP) plans for you, including where backups and replications are hosted and how quickly they can be deployed in the event of an incident.

Question #8: What steps does the partner take to stay current with changing data security best practices?

Finally, bear in mind that any partner’s security posture is point-in-time. If they aren’t keeping up with new developments and changing best practices, they could put your data at risk.

Potential steps to look for include subscribing to security news subscriptions, maintaining a PCI or ISACA membership, and conducting monthly reviews or updates of existing practices. Partners who regularly complete client security questionnaires also have an advantage, as responding to their prompts acts as a forcing function for partners to stay up-to-date.

Don’t let data security concerns stop your BPO implementation

Many of our customers with data security concerns come to take comfort in the fact that BPO is quite normal these days. Big businesses within Australia and globally are increasingly leveraging BPO—and that means that all of the compliance boxes they require have already been ticked for you.

As you move forward, however, make it a priority to not just choose a vendor. Look for a true partner who can be with you for the long haul, who can act in your best interests in an advisory capacity, and who can take the pressure off your team when it comes to meeting compliance standards and regulations.

At CBS, we understand that information security is vital for our customers—and that, in the current climate, it has never been so visible across a business. For us, our customers’ information security is as important as the delivery of our BPO services themselves, which is why we’ve come to be trusted by organisations like Australia’s four big banks. If we can earn their trust, we can surely earn yours.

To learn more about how we support data security throughout our BPO implementations, get in touch with our expert team.

Similar Articles


What are the advantages of Microsoft Azure

Discover the advantages of Microsoft Azure: Scalability, security, cost-efficiency, and innovation. Learn how Azure enhances operations and drives digital transformation in New Zealand.

The impact of AI on business productivity

Discover the artificial intelligence's impact on business and how it revolutionises operations. Protect your business data with CBS New Zealand's expert insights now!

What is Security Automation?

Learn how automated security transforms cybersecurity, making it simpler and more efficient. Protect your business data with CBS New Zealand’s expert insights now!

What are the effective Azure cost optimisation strategies

Maximize Azure efficiency for your New Zealand organisation. Reduce costs, optimize resources, and align spending with business goals using our expert strategies and tools!

What are the benefits of penetration testing?

Gain confidence in your digital security with the benefits of penetration testing. Enhance cybersecurity, identify vulnerabilities, and fortify your defences with CBS New Zealand's expert insights now!

What are the challenges of AI in financial services

Discover challenges of AI in finance, tackling bias, security, and integration for ethical, efficient financial services. Protect your business data with CBS New Zealand's expert insights now!

Cybersecurity Threat Detection: Proactive strategies

Stay ahead in cybersecurity with our 2024 guide on threat detection. Learn advanced technologies & response plans to protect your business against threats with CBS New Zealand.

Navigating Information Security Frameworks

Explore essential information security frameworks to safeguard your data. Protect your business data with CBS New Zealand's expert insights now!

Ultimate guide to internal penetration testing

This Internal Penetration Testing guide covers techniques, analysis, and best practices for identifying vulnerabilities & strengthening your cyber defense in New Zealand.

The Threat Intelligence Lifecycle explained

Discover how to navigate the Threat Intelligence Lifecycle in 2024. Our guide covers phases, analysis, and best practices for cybersecurity decision-making in New Zealand.

What are the latest cyber threats and defense strategies?

Enhance cybersecurity, identify vulnerabilities, and fortify your defences with CBS New Zealand's expert insights now!

Understanding Blue Teams in cybersecurity

Explore Blue Teams' pivotal role in cybersecurity: their defense strategies, Red Team collaboration, and trends with CBS New Zealand's expert insights now!