Cybersecurity in Shared Services Organizations
The number of cyber attacks against organizations continues to grow in complexity, frequency, and severity. SSOs handle confidential and restricted personal data, making them a target for cyber crimes. Since the SSO is accountable for protecting sensitive corporate and employee information, care must be taken to understand and protect the flow of this sensitive data.
How do you properly manage cyber threats? A robust cybersecurity program is imperative to protect your organization, employees, and customers.
In this report, find out about the building blocks needed for an effective SSO cybersecurity program.
Cybersecurity in Shared Services Organizations
- June 2016
- Introduction to Shared Services Cybersecurity Whats at Risk? Cyber Attack Trends Key Shared Services Organization (SSO) Risk Factors Building Blocks of an SSO Cybersecurity Program Data Security Education and Awareness Governance and Compliance SSO Cybersecurity Leading Practices How ScottMadden Can Help
Introduction to Shared Services Cybersecurity
- Shared Service Organizations (SSOs) control much of an organizations confidential and restricted personal information. While handling and using this data is routine for SSOs, it is exactly the kind of information that is highly prized by cyber criminals. A robust cybersecurity program is imperative to protect the organization, employees, and customers. Cyber threats can materialize in a number of ways but can be broken down into two main types:
- Many organizations have dedicated Information Security (InfoSec) groups that manage security programs enterprise wide. However, accountability for protecting sensitive shared services and employee information ultimately falls to the SSO.
Whats At Risk?
- Confidential Information refers to data/information for which unauthorized access or disclosure could result in an adverse effect on the organization, an individual, or both. This information could either be personally identifiable information (PII) or confidential business information. Restricted Information includes the most sensitive Confidential Information and is typically protected by law or policy.
Cyber Attack Trends
- The number of cyber attacks against organizations continues to grow in complexity, frequency, and severity. Significant data breaches in 2015 included1: VTech (childrens technology maker) personal data compromised for 5 million parents and 6 million children Kaspersky Lab (security vendor) 13 million account records exposed Experian (credit service provider) personal data compromised for 15 million customers US Office of Personnel Management (federal government) PII and restricted data exposed for 21.5 million federal employees Anthem Blue Cross Blue Shield (health insurer) PII and restricted data exposed for 80 million patients and employees
- In 2015, the average organization spent more than $15 million remediating the effects of cyber attacks. To mitigate potential costs, SSOs must take action to understand and protect the flow of their sensitive information.
SSOs enhance their efficacy by integrating their primary systems with third-party systems for benefits management, time and attendance, etc.Each of these integrations typically transmits sensitive data over myriad secured and unsecured channels Business process complexities, policies, and exceptions increase along with the amount of sensitive data flowing through the SSO Email, chat, and open service tickets are common modes of sending communications in and out of SSOs. These regularly include sensitive information that can inadvertently fall into the wrong hands Some SSO departments (e.g., workforce administration, call centers) can experience low employee engagement, especially for data security initiatives These departments can also experience high turnover, opening the SSO up further to potential malicious insider activity
- The volume of sensitive data makes SSOs a target. While a high volume of data tends to correlate to increased operational efficiency, it also increases the risk that this data may be compromised. Despite this, data security is often overlooked in favor of gains in operational efficiency and customer service.
- Key SSO Risk Factors
- SSO Risk Factors
- Complexity of an HR SSO Information Ecosystem
- SSO data is constantly moving through countless systems, applications, and individuals. Only a robust cybersecurity program can mitigate the complexities of the information ecosystem.
Building Blocks of SSO Cybersecurity
- Tiered SSO delivery models often include payroll and leave-of-absence specialists, AP clerks, and HRIS teams that have elevated privileges to sensitive data.SSOs need to provide employees the tools, awareness, and direction to properly handle, communicate, and use confidential and restricted data.
SSO Data Security
- SSO data is stored in and moves through countless on-premises and cloud applications and systems. Understanding where sensitive data is stored and how it is used and shared are essential to developing and implementing effective security controls. Data can be classified in three categories: Data at rest: Anything that holds data in a static state, such as file shares, databases, servers, etc. Data in motion: Data in transit (on a wire) between applications, systems, individuals, etc. via email, web, or other Internet protocols Data in use: Data that resides on the end-user workstation and needs to be protected from being leaked through removable media devices like USBs, DVDs, CDs etc. The graphic below depicts a sample flow of data through an SSOs payroll process:
Mitigating Common SSO Data Security Challenges
- Many SSOs face similar data security challenges and risk points they must address: Stale or outdated data maintained on servers and databases Numerous locations and mechanisms for storing data Necessity of cross-functional collaboration using sensitive data Inconsistent use of encryption and secure file transfer protocols Lack of clarity with regards to retention standards
- Formal data security standards can help mitigate these risks throughout the data life cycle. Key considerations include: What data will be stored, and for how long Where data will be stored, both physically and electronically Who can access data, including both applications and users How often and where data should be backed up When and how to destroy data
Education and Awareness
- Cyber crimes are not the only sources of risk for SSOsthe action or inaction of employees can also lead to security incidents. It is vital SSOs maintain a security awareness program to ensure employees understand the importance of protecting sensitive information, how to handle it securely, and the risks of mishandling such information.
- Source: PCI Security Standards Council
- Qualities of an effective and sustainable awareness program include: Information is provided in a way that relates to the SSO culture (i.e., how employees think and behave) Information is delivered in different formats to affect change and is consistently reinforced and repeated Management is on-board and understands the holistic security risks (e.g., financial, reputational, legal) Presentations are personal bring the message home, security is everyones job Information is relevant to current events and trends and is consistently updated with lessons learned
Identify a clear set of roles and responsibilities for which each group is accountable Leverage the insight of each group to determine risk points Ensure communication between all groups is timely, efficient, and ongoing Work together on policy creation to ensure the alignment on data security priorities and standards
- In addition to securing sensitive data and educating employees, SSOs must work with other parts of the organization to clearly define security roles and responsibilities. Establishing a governance model creates a structure that enables the SSO to operate with clear role definition, fosters appropriate accountabilities, and ensures compliance with corporate standards.
- Establish Enterprise Data Security Standards
- Foster Collaboration between the SSO, IT, Legal and InfoSec
- Governance and Compliance
- Conduct analysis to understand where the SSO is in relation to existing enterprise data security policies and identify highest priority gaps Collaborate to establish overall data security standards taking into account special SSO situations and laws/regulations Document policy and process documentation Establish a process and standards audit cycle
SSO Cybersecurity Leading Practices
SSO Cybersecurity Leading Practices (Contd)
Putting It All Together
- A programmatic approach is required to secure SSOs. Attempts to build and improve cybersecurity capabilities through individual or disjointed projects are expensive and ineffective. SSOs must pursue a programmatic approach that mitigates SSO-wide risks.
- Engaging SSO leadership and stakeholders in cybersecurity decision making is the single most important factor in creating a successful cybersecurity programmore than technology or funding.
- In a formal cybersecurity program: A roadmap is created to identify critical risks, take immediate action, and achieve long-term capabilities. Many leading practices can be implemented quickly with significant impact on SSO cybersecurity Priorities are risk informed Project management and organizational change management enable a successful implementation Monitoring of indicators drives corrective actions and continuous improvement
How ScottMadden Can Help
- Strategic planning support Security program management Design and implementation Security policy alignment Program assessments Sensitive data inventories Transformation
- Policy framework design Business policy and process assessments Data security standards creation Cybersecurity metric design and implementation Access management strategy development
- OCM support of implementation efforts Cybersecurity awareness plan design and implementation
- Process design Implementation project management Cybersecurity threat-based risk assessments Vendor selection
- Cybersecurity Program Services
- Cybersecurity Governance Design and Implementation
- Cybersecurity Organizational Change Management (OCM)
- Cybersecurity Capability Design and Implementation
To learn more about SSO Cybersecurity, contact us.
- Contact Us
We work step-by-step with clients to ensure each project’s success. Our strong team of consultants employs an adaptable framework to guide clients to the best decision for their unique situations. We do what we say we are going to do, with integrity, tenacity, and a genuine passion for the work throughout the entire project.
Learn more about our Corporate & Shared Services practice area.
Welcome to ScottMadden!
Sussex Economic Advisors is now part of ScottMadden. We invite you to learn more about our expanded firm. Please use the Contact Us form to request additional information.