Recently, users of BA’s high-end loyalty programme, its Executive Club frequent flyers, found that they were having problems accessing their accounts. It soon turned out that a criminally minded third party had bought some of the many stolen password files out there on the ‘Dark Web,’ and was using them to attempt to get personal details.
In this instance, the company was able to step in quickly enough – after having been alerted to the issue by social media and enquiries from the affected customers. But think about it: how would you feel if your most valuable customers, as these top-paying regular users are for an airline, saw their accounts electronically compromised?
Let’s hope it’s a feeling you never have to have. It’s not pleasant and can have a lasting impact on your reputation and brand. Like it or not, the Information Age, for all its many conveniences, is unquestionably also the Digitally Insecure Age, too.
That basic fact of modern business life makes it all the more surprising that the security facet of outsourcing doesn’t get anything like the board-level attention it should. For many enterprises – probably the majority – it’s the cost, contractual and operational sides of an outsourcing move that gets all the air time… not the danger of negative impact on your company by poor information hygiene at their end.
It’s the internal threat that matters most
Our experience with customers has convinced us that security needs to go much further up the food chain. Here are the factors that make this the case:
1. New people will have access to your information. What are the policies and controls in place in the prospective partner to safeguard it?
2. If your partner is an off-shore or a near-shore player, where in the world precisely will your data live while under their care? If outside the EU, this has many implications.
3. What technology and infrastructure can your new prospective outsourcing ‘friend’ point to that shows you, in both breadth and depth, what systems and defences are in place?
On that last point, it is a sobering thought that the vast majority of cyber leaks occur not through the fiendishly-clever machinations of the external ‘hacker,’ as Hollywood would have it, but through internal employee behaviour – be that carelessness (writing down passwords on Post-It notes, leaving thumb drives around) or active malice (disgruntled workers looking to disrupt or embarrass their environments).
Modern outsourcing needs to embrace the reality of the digital world, which means fantastic access to data but also that data is also very easy to capture and spirit away.
That means that going forward, you need to start worrying as much about protecting your brand in the face of this as you are at getting the right SLAs and bottom line contract figure into all of your outsourcing arrangements.
The alternative? Being the guy who let the customer details out the door… and who wasn’t as lucky as the team at BA.