Cybersecurity in Shared Services Organizations

The number of cyber attacks against organizations continues to grow in complexity, frequency, and severity. SSOs handle confidential and restricted personal data, making them a target for cyber crimes. Since the SSO is accountable for protecting sensitive corporate and employee information, care must be taken to understand and protect the flow of this sensitive data.

How do you properly manage cyber threats? A robust cybersecurity program is imperative to protect your organization, employees, and customers.

In this report, find out about the building blocks needed for an effective SSO cybersecurity program.

View Accessible Version

business card art.jpg

Cybersecurity in Shared Services Organizations

    • June 2016


  • Introduction to Shared Services Cybersecurity
    Whats at Risk?
    Cyber Attack Trends
    Key Shared Services Organization (SSO) Risk Factors
    Building Blocks of an SSO Cybersecurity Program
    Data Security
    Education and Awareness
    Governance and Compliance
    SSO Cybersecurity Leading Practices
    How ScottMadden Can Help


Introduction to Shared Services Cybersecurity

    • Shared Service Organizations (SSOs) control much of an organizations confidential and restricted personal information. While handling and using this data is routine for SSOs, it is exactly the kind of information that is highly prized by cyber criminals. A robust cybersecurity program is imperative to protect the organization, employees, and customers.
      Cyber threats can materialize in a number of ways but can be broken down into two main types:


  • Many organizations have dedicated Information Security (InfoSec) groups that manage security programs enterprise wide. However, accountability for protecting sensitive shared services and employee information ultimately falls to the SSO.

Whats At Risk?

    • Confidential Information refers to data/information for which unauthorized access or disclosure could result in an adverse effect on the organization, an individual, or both. This information could either be personally identifiable information (PII) or confidential business information. Restricted Information includes the most sensitive Confidential Information and is typically protected by law or policy.


Cyber Attack Trends

    • The number of cyber attacks against organizations continues to grow in complexity, frequency, and severity. Significant data breaches in 2015 included1:
      VTech (childrens technology maker) personal data compromised for 5 million parents and 6 million children
      Kaspersky Lab (security vendor) 13 million account records exposed
      Experian (credit service provider) personal data compromised for 15 million customers
      US Office of Personnel Management (federal government) PII and restricted data exposed for 21.5 million federal employees
      Anthem Blue Cross Blue Shield (health insurer) PII and restricted data exposed for 80 million patients and employees


  • In 2015, the average organization spent more than $15 million remediating the effects of cyber attacks. To mitigate potential costs, SSOs must take action to understand and protect the flow of their sensitive information.

SSOs enhance their efficacy by integrating their primary systems with third-party systems for benefits management, time and attendance, etc.Each of these integrations typically transmits sensitive data over myriad secured and unsecured channels
Business process complexities, policies, and exceptions increase along with the amount of sensitive data flowing through the SSO
Email, chat, and open service tickets are common modes of sending communications in and out of SSOs. These regularly include sensitive information that can inadvertently fall into the wrong hands
Some SSO departments (e.g., workforce administration, call centers) can experience low employee engagement, especially for data security initiatives
These departments can also experience high turnover, opening the SSO up further to potential malicious insider activity

    • The volume of sensitive data makes SSOs a target. While a high volume of data tends to correlate to increased operational efficiency, it also increases the risk that this data may be compromised. Despite this, data security is often overlooked in favor of gains in operational efficiency and customer service.
    • Key SSO Risk Factors


  • SSO Risk Factors
  • Complexity of an HR SSO Information Ecosystem
  • SSO data is constantly moving through countless systems, applications, and individuals. Only a robust cybersecurity program can mitigate the complexities of the information ecosystem.

Building Blocks of SSO Cybersecurity

    • Tiered SSO delivery models often include payroll and leave-of-absence specialists, AP clerks, and HRIS teams that have elevated privileges to sensitive data.SSOs need to provide employees the tools, awareness, and direction to properly handle, communicate, and use confidential and restricted data.


SSO Data Security

    • SSO data is stored in and moves through countless on-premises and cloud applications and systems. Understanding where sensitive data is stored and how it is used and shared are essential to developing and implementing effective security controls. Data can be classified in three categories:
      Data at rest: Anything that holds data in a static state, such as file shares, databases, servers, etc.
      Data in motion: Data in transit (on a wire) between applications, systems, individuals, etc. via email, web, or other Internet protocols
      Data in use: Data that resides on the end-user workstation and needs to be protected from being leaked through removable media devices like USBs, DVDs, CDs etc.
      The graphic below depicts a sample flow of data through an SSOs payroll process:


Mitigating Common SSO Data Security Challenges

    • Many SSOs face similar data security challenges and risk points they must address:
      Stale or outdated data maintained on servers and databases
      Numerous locations and mechanisms for storing data
      Necessity of cross-functional collaboration using sensitive data
      Inconsistent use of encryption and secure file transfer protocols
      Lack of clarity with regards to retention standards
    • Formal data security standards can help mitigate these risks throughout the data life cycle. Key considerations include:
      What data will be stored, and for how long
      Where data will be stored, both physically and electronically
      Who can access data, including both applications and users
      How often and where data should be backed up
      When and how to destroy data


Education and Awareness

    • Cyber crimes are not the only sources of risk for SSOsthe action or inaction of employees can also lead to security incidents. It is vital SSOs maintain a security awareness program to ensure employees understand the importance of protecting sensitive information, how to handle it securely, and the risks of mishandling such information.


  • Source: PCI Security Standards Council
  • Qualities of an effective and sustainable awareness program include:
    Information is provided in a way that relates to the SSO culture (i.e., how employees think and behave)
    Information is delivered in different formats to affect change and is consistently reinforced and repeated
    Management is on-board and understands the holistic security risks (e.g., financial, reputational, legal)
    Presentations are personal bring the message home, security is everyones job
    Information is relevant to current events and trends and is consistently updated with lessons learned

Identify a clear set of roles and responsibilities for which each group is accountable
Leverage the insight of each group to determine risk points
Ensure communication between all groups is timely, efficient, and ongoing
Work together on policy creation to ensure the alignment on data security priorities and standards

    • In addition to securing sensitive data and educating employees, SSOs must work with other parts of the organization to clearly define security roles and responsibilities. Establishing a governance model creates a structure that enables the SSO to operate with clear role definition, fosters appropriate accountabilities, and ensures compliance with corporate standards.


  • Establish Enterprise Data Security Standards
  • Foster Collaboration between the SSO, IT, Legal and InfoSec
  • Governance and Compliance
  • Conduct analysis to understand where the SSO is in relation to existing enterprise data security policies and identify highest priority gaps
    Collaborate to establish overall data security standards taking into account special SSO situations and laws/regulations
    Document policy and process documentation
    Establish a process and standards audit cycle

SSO Cybersecurity Leading Practices


SSO Cybersecurity Leading Practices (Contd)


Putting It All Together

    • A programmatic approach is required to secure SSOs. Attempts to build and improve cybersecurity capabilities through individual or disjointed projects are expensive and ineffective. SSOs must pursue a programmatic approach that mitigates SSO-wide risks.


  • Engaging SSO leadership and stakeholders in cybersecurity decision making is the single most important factor in creating a successful cybersecurity programmore than technology or funding.
  • In a formal cybersecurity program:
    A roadmap is created to identify critical risks, take immediate action, and achieve long-term capabilities. Many leading practices can be implemented quickly with significant impact on SSO cybersecurity
    Priorities are risk informed
    Project management and organizational change management enable a successful implementation
    Monitoring of indicators drives corrective actions and continuous improvement

How ScottMadden Can Help


    • Strategic planning support
      Security program management
      Design and implementation
      Security policy alignment
      Program assessments
      Sensitive data inventories
    • Policy framework design
      Business policy and process assessments
      Data security standards creation
      Cybersecurity metric design and implementation
      Access management strategy development
    • OCM support of implementation efforts
      Cybersecurity awareness plan design and implementation
    • Process design
      Implementation project management
      Cybersecurity threat-based risk assessments
      Vendor selection
    • Cybersecurity Program Services
    • Cybersecurity Governance Design and Implementation
    • Cybersecurity Organizational Change Management (OCM)
    • Cybersecurity Capability Design and Implementation

To learn more about SSO Cybersecurity, contact us.

    • Contact Us


View More

Contributing Authors

Welcome to ScottMadden!

Sussex Economic Advisors is now part of ScottMadden. We invite you to learn more about our expanded firm. Please use the Contact Us form to request additional information.