Master Data in the Cloud: 5 Security Fundamentals

Master Data in the Cloud: 5 Security Fundamentals

• 1.
  W H IT E PA P E R Your master data is essential to the smooth operation of your business. But it is also valuable to others. Master data is vulnerable to both internal and external attacks. As the future of business and data is increasingly cloud-based, we explore five fundamentals to ensure the security of your data. © sharedserviceslink and JPD Financial 2017 Master Data in the Cloud: 5 Security Fundamentals
• 2.
  1 One of themost important assets in your business is your data. Data, including your master vendor data, contains information essential to the day-to-day running of your organization. Without it, operations would come to a grinding halt. However it’s not just valuable to you. Master data can be a target, and it can be compromised in breaches, hacks, or data leaks (intentional or unintentional). In the wrong hands, this information could expose you to fraud; it could compromise sensitive business information; and it could seriously damage your reputation with current and future customers, as well as with shareholders and the business market at large. As automation becomes more common in business in the form of cloud-based technology, opportunities for data access increase. Thankfully, there are a number of precautions and preparations well worth considering before putting your sensitive master data into the cloud, which will help to make your transition much more secure. There are many valid concerns when it comes to data security Master data contains a huge amount of information that ensures your business is able to operate. But in the wrong hands, the possibilities are terrifying. Your master data contains commercially sensitive information about your business and your suppliers. It includes which suppliers you use, how much you spend with them, when their contracts are up for renewal and what their bank details are. The information in your master data can also lay the foundation for fraud that may happen in downstream processes in, for example, purchasing or payments. Given the relatively easy access to this sensitive data, it is surprising how infrequently this data gets the protection it needs. A 2016 sharedserviceslink survey shows that over one-third, 34% of respondents, had an incident of fraud in the last 5 years that could have been prevented with better vendor master data control. Regular checks and audits of your master data can go a long way to mitigate these risks. However many companies aren’t resourced to review and audit master data and supplier vendor data on a regular basis. Keeping on top of your supplier base for irregularities or credits that may be owed to you is a time-consuming task that often falls onto the shoulders of an over-worked accounts payable team who have other more pressing priorities. In the wrong hands, master data can be exploited: • Exposing which suppliers you use, and the exact amount you spend with them could reveal commercially sensitive or secret information. • Fraudsters (internal or external) could mimic existing suppliers, invoicing you with realistic-looking, fake invoices. • Bank details suppliers could be changed to re-direct payments to a fraudster. • Employee expenses can contain sensitive and private information. Have you had an incident of fraud that could have been prevented by better vendor master control? 34% 9% 57% No Yes, within the last 10 years Yes, within the last 5 years sharedserviceslink report: Get Proactive About your Vendor Data, 2016
• 3.
  2 The General DataProtection Regulation (GDPR) comes into effect on May 25th 2018. While it is a European Union (EU) regulation, if you process data about individuals in the context of selling goods or services to citizens in EU countries, then you will need to comply. Key compliance elements include: • Responding to data subjects’ requests about how their data is being used and requests to remove data • Notifying those affected by data breaches within 72 hours • Clarified data consent policies Non-compliance fines can be up to 4% of annual global turnover or 20 Million Euros, whichever is greater. To remain compliant, organizations must demonstrate compliance, and that can be done through enhancing data protection policies, staff training, internal audits and creating and improving security features on an ongoing basis. Third parties who specialize in auditing suppliers can help you manage these risks, and help you drive credit recovery, but a critical success factor is understanding the level to which these third parties will protect that data. The future of data is in the cloud In finance, as in businesses in general, the future is in the cloud. Any organization of a certain scale will have some of their business-critical data in online tools and in the cloud. Most finance automation tools today are much less likely to be installed on-premise. Rather, they will be online and cloud-based. Cloud-based applications not only save on the capital expenditure of installation, they are generally much easier to upgrade and deploy across your global business. Lastly, they provide best in class security features. Engage IT early in your search for providers Even very traditional companies are entrusting their data to cloud-based providers. As with any technology deployment, it’s important to engage your IT team early in the process, so that you understand what they need to see from suppliers. “I was under the impression that we managed the vendor statements internally and did not miss any opportunities for recoveries. Once I started to review, I identified that 45% of the vendors did not provide their statements.” Ed Martinez, Former VP of Shared Services and Owner and Senior Advisor of EPM Services. Getting IT and Finance on board with cloud technology “Our IT team are inherently conservative, and understandably so, because we work with a lot of client data, and we come from a banking background. So the concept [of moving finance automation onto the cloud] was radical to some, but contemporary to others. What helped us was IT had gone through a previous cloud implementation of a completely different product outside of the finance arena, so that helped set the scene and set the comfort level. We also worked well with our provider about the IT diligence. We were able to satisfy their concerns and meet the thresholds our IT team were looking for. I’d be stunned if any organization didn’t have some form of data going in and out of the business somewhere in the processes they operate, so there has to be data standards to it.” - Robert Bloor, Group Financial Controller, Equiniti
• 4.
  3 Nearly every companyhas, or will have, some data online, sitting in cloud-based tools. When it comes to implementation, it’s important to ensure the tools, access rules, controls, and procedures satisfy both IT and Finance’s requirements early in the process, before the tender has begun. The cloud may be more secure than on-premise. Many cloud-based service providers host data in secure, geographically separated, nondescript data centers. They use technology like biometrics and 24 hour video surveillance to prevent unauthorized access. On top of that, many leverage military-grade encryption of the data they host. These levels of security are impractical for most organizations on-premise. Many companies appreciate that they need to guarantee a level of physically secure encryption that is untenable for them to attain without partnering with a third party. A move to the cloud can be motivated by the need to increase data security levels, but optimum data security is not guaranteed or indeed offered by all third parties. Your master data is important, but it’s also vulnerable. When you are using third parties – particularly cloud-based third parties – what can you do to ensure it is secure? Master data security: 5 fundamentals There are some key requirements you should seek when it comes to protecting your master data. 1. Regularly audit your data and supplier information. No matter how rigorous your processes are, it’s always good to have a third party come and look over your shoulder every now and again. While good processes can mitigate many risks, and keep the quality of your master data high, auditing all of your supplier spend and looking for irregularities (such as duplicate payments) can be extremely time-consuming. This is where third parties can add real value. Audit recovery or vendor credit recovery firms can: • Check data against databases to verify existing records • Identify and red-flag any problematic suppliers • Alert you to credits owed to you (such as duplicate payments, credit notes or rebates) which can be a huge boost to your bottom line. 2. Have a strong user awareness program User awareness is a first line of defense, and a culture of security is important, both internally and with any third party you use. For you, or any provider who works with your master data, it’s essential to have a strong user awareness program in place for data security. Your IT team or subject matter experts may know where fraud is likely to occur, but not everyone who interacts with your data will know whether their actions are assisting or jeopardising your data controls. Users who interact with data should be aware of how fraud is likely to occur. Some will need education about the latest cyber threats, while others may need reminding not to trust an inbound call to change bank account details. Without a strong user awareness, data could be unknowingly compromised. It’s also important to have a culture of openness. If someone is worried they did something wrong,
• 5.
  4 or saw somethingsuspicious, be sure to provide avenues for them to speak up, so you can catch issues early on. Ask any third party you use what user awareness programs they have, and if they can help you. 3. Ensure you and your providers have a security policy that keeps up with the changing landscape Your providers’ security policy should exceed your expectations. Data security doesn’t happen through chance. It’s a result of stringent policies and rigorous checks. Be sure to ask your service provider about their security policies and bring in your IT team early on in the process to make sure their policies meet, or exceed your own IT due- diligence testing. Some key elements to understand: • Who will be handling your information? Who from their organization has access to your data, and what checks have they undergone (for example do they sign Non- Disclosure Agreements?) • What security checks do they have in place? Do they use penetration testing (testing to find vulnerabilities and weaknesses in your security)? • What is their data loss prevention plan? 4.Askwhichdatastorageproviderstheyuse If you are using a Software-as-a-Service provider, they are only as secure as their partners. Most automation or SaaS providers will partner with large data warehouses. Many use companies like Amazon, Salesforce, Microsoft or Box to manage data securely. If you are evaluating providers, also evaluate who they partner with and what controls they have in place. • How will the data be encrypted? • What access controls are in place? • What back-up of data is done? 5. Data compliance checks: Compliance documents are essential to ensure data is being processed safely and securely, and that regulators’ requirements are met. Data compliance is a fast-moving landscape, and you will want to check that your supplier is up to the current standards.There is a huge amount of documentation needed to be compliant – some of the key certifications include SSAE-16 and US-EU Safe Harbor. Also, be sure to ask what they are doing to prepare for the General Data Protection Regulation (GDPR) and how they can help you prepare. Companies you can trust with your data will be proud of their compliance standards, and should share these with you openly. Will third parties keep your data safe? Key questions to ask: • What kind of penetration testing do you do? • Will you help us with our user awareness program? • Which storage providers do you use? And what level of security and encryption will there be? • What compliance checks do you use (i.e SSAE-16, US-EU Safe Harbor)? • What is your Data Loss Prevention Plan? • How are you preparing for the GDPR? • Who in your organization can access our data, and what checks have they undergone?
• 6.
  5 © sharedserviceslink andJPD Financial 2017 In Summary As data is valuable to your company, it’s also valuable to outsiders. As your information will almost inevitably sit within the cloud, there are a number of things you can start checking, to ensure that you remain secure. Third parties can bring significant benefit to the management of your vendor master data, but they can also bring risk. Engage IT early in the process, and don’t be afraid to ask some tough questions – based on the five fundamentals – about security. About JPD Financial As the audit landscape continues to evolve, JPD has become proficient in rebalancing expectations and offering a solution that is advantageous to our clients. Our advanced recovery credit services, together with quality communication processes, produce the best results. This personal approach strengthens the relationships of our customers and delivers the highest level of satisfaction and reward. To ensure that JPD achieves the most comprehensive data security for our clients, we have enlisted several industry-leading technology partners. Our partners include; Salesforce, Box, Microsoft, Rackspace Cloud, S-Net Communications and Informatica. All JPD employees must sign confidentiality agreements, and an independent third party is used to conduct random penetration testing. JPD’s On-Demand client portal is cloud based, leveraging the Salesforce platform. This solution will not require any physical deployment of software or hardware, thereby providing the flexibility of allowing credit management functions to be performed from anywhere our clients operate. JPD partners with Box so that our clients can securely transfer highly confidential and sensitive information. Box utilizes military grade encryption, customized Box shared links with passwords, expiration dates and restricted download access as security measures when our clients are transferring data. JPD Financial –“Helping you take the credit…. Securely” For more information email contact@jpdfinancial.com