During COVID lockdown, the only option many offshore business processing offices (BPO), as well as every other business, were faced with was to send employees home to work remotely. Whether it was because their facilities could not implement the necessary requirements for a safe working environment, or the local government required them to disperse the workforce, it happened. There was a scramble by many organizations to quickly adapt so that work could continue during pandemic restrictions with minimal interruptions for not only their own organizations, but also the organizations they support.
With COVID restrictions now lifted in most countries, the return to the office for Offshore Delivery Centers (ODCs) now has begun in many cases. However, these BPOs face the same challenges their customers face in attracting and retaining talent post-COVID as many workers would prefer to work either hybrid (some days in office, some at home) or fully remote.
If organizations want the best talent and service from the BPO vendors, allowing their vendors to operate in a hybrid or remote setting is going to be the requirement.
Many customers are concerned with the risk of data leakage in these hybrid/remote options; therefore, are requesting solutions and options to allow this to take place while also mitigating the risk to both organizations.
Why is offshore work considered more risky than onshore work?
Many offshore resources have access to sensitive data, and yet, the resources are not direct employees of the customer. The distance makes the risk higher due to the inability to continuously validate that work is happening securely and safely on a daily basis. However, not all data risk is the same; therefore allowing organizations to take a more risk-based approach.
The first step in taking a more risk-based approach is educating internal business partners on the risks with certain data sets being sent to or accessed by offshore resources. You can then discuss with business partners what controls need to be in place with each data set to lower the risk as it relates to said data accessed.
For example, development work that only interacts with lower environments, such as Development or Test, and has no sensitive data, could be done remotely and offshore (not in an ODC) as it requires less control. On the opposite end of the risk spectrum, access to credit card data or personal health information (PHI) would require additional controls and monitoring to be in place or should never be sent outside an ODC.
Enterprise Security for BPO
Many customers of BPOs focus only on the security of the service the vendor provides. However, given the interconnectivity they may have with the BPO, they should also review their enterprise and information security controls as well.
Starting with connections; dedicated connections between your organization and offshore BPOs require network devices, which presents a weak link. Network device manufacturers often release security patches and maintenance releases. Request from the BPO how often they update their network devices. The question you can ask is noted below.
What is their policy for critical security patches and notification to you, as their customer, when these updates and maintenance patches are to be installed?
Downtime for these devices must be regularly planned and–when a critical release is required–installed at the earliest possible moment.
You can also ask:
What is the BPO's Intrusion Detection/Prevention System and is it adequate?
Does the BPO use a security information and event management (SIEM) tool and does it collect information from all critical systems within the network?
Does the BPO have a Data Loss Prevention system or tool in place that would detect when an employee or intruder begins to exfiltrate data, or does it only detect a
threat actor after they’ve taken gigabytes?
Does the BPO perform cybersecurity awareness training, to include an insider threat module?
Service-Level Security for Customers of BPOs
Once you’ve established the BPO either has adequate enterprise-level controls in place, or is remediating toward your security baseline, ask: how are they securing the service they provide to you as the customer?
If the data is remotely accessed via a Virtual Desktop Interface (VDI) on your own network, how have they disabled activities like copy-and-paste, right-click actions,
limiting access to only URLs required to perform their work, and preventing
access to personal email and chat?
If the data is in a shared cloud environment with the BPO, what controls within the cloud are enabled? Is it in a single-tenant or multi-tenant environment?
How are access controls managed?
Ensure the vendor revocation of access rights meet your requirements. Look at the connections to ensure it is not allowing deprecated version of transport layer security (TLS).
End-Point Security for Hybrid/Remote workers
One of the most important controls for remote workers is security controls enabled on the endpoints, like laptops or desktops. The level of controls found on laptops can go from the simple to the complex. At a minimum, it should be an ‘always-on’ VPN; meaning as soon as the laptop is switched on and connects to the employee’s home network, it is creating an encrypted tunnel. As the risk becomes greater for the data and connection, there should be more active controls on the endpoint such as heuristic analysis of keyboard strokes, artificial intelligence software that analyzes laptop camera images, and biometric requirements for logins. All endpoints should also be connected to a data loss prevention (DLP), intrusion detection system (IDS)/intrusion prevention system (IPS), and a corporate SEIM to ensure a holistic approach to security.
Network Devices and Remote Work
A weak link in this remote work approach is the assumption that all home-based routers are secure. Questions you can ask the BPO include:
Are employees required to regularly update their home routers and how is this monitored?
Is it a router that your corporate network would trust on its own network?
If there are thousands of offshore employees working from home, then that is thousands of potential attack points that may be vulnerable. The best option is to require the BPO to issue company-supplied, configured, and controlled routers. As long as the program to issue and control these devices is well-designed and run, then much of the above risks listed are reduced.
BPOs can also ramp up that security by only allowing employees to connect to the BPO network with approved devices, to ensure the risk isn't elevated when said employees work from or connect into the WIFI of a local coffee shop or other less secure location. The middle ground would be to have a list of company ‘approved’ devices to ensure they meet minimum standards to lower the risk. The employee can register their device with the company (using serial number, access controls, and other critical information) to allow the BPO to monitor security updates and patches, informing affected employees when their devices are at risk.
Zero Trust for BPO
A Zero Trust approach can greatly reduce your risk for a breach; however, it will not lower your risk level to zero as nothing can perform that task. This section explains a Zero Trust approach you can take with your BPOs. First would be to investigate how the BPO approaches zero trust. Since only 22% of organizations report being fully at zero trust, it might need to be a risk-based approach, focusing on the highest risk data and connections. Another zero-trust action your organization can take, as the customer, is to implement controls on your own network. Where the BPO connects to your network, have it in a bastion or demilitarized zone (DMZ) that is configured for the level of access that is based on least-privilege. Require biometrics, multi-factor authentication (MFA), re-logins after every few hours, and a privileged access management (PAM) system to ensure these accounts are better secured.
Physical Validation of Security for Remote Work
As the ability to travel opens back up, it is important that those who are customers of BPOs begin to perform physical validation of their critical vendors.
Previously, a visit to an offshore vendor followed a familiar script: fly to the country of location and meet with the security and operations team to get physical validation of both logical and physical controls. There was a tour of the ODC offices to ensure the expected physical controls were present on the floor: separate spaces, no recording devices (such as phones) allowed in, badges and biometrics for entry, validation of clean room polices, and similar physical checks.
With remote work, these checks are not possible at every remote worker’s home. However, that doesn’t mean they can be skipped, nor does it mean they can’t be checked. For example, require the vendor to randomly check, like an audit sampling, some of their employee’s home offices. Physical validation can also include having the BPO connect to a set sampling of remote worker’s cameras and validate specific, physical controls. If your BPO already does this, then ask:
Have monitoring controls caught any examples of potentially risky behavior?
Ask them to show how they dealt with risky employee behavior to ensure it aligns with their policy and your expectations as their customer.
COVID changed a lot of things in the business world. It is doubtful the ‘work remote’ genie can be put back into the bottle. The best talent will want the flexibility to work remote or hybrid, which will, in turn, provide them with the ability to deliver better service. It will also allow BPOs to hire and retain talented employees. Regardless of your personal views on remote offshore work, there are ways to allow your BPOs to deliver service remotely while keeping the risk to your data and your network lowered to the risk appetite that aligns with your organization.