April 16, 2019
When a transactional company uses your customer information to process and mail your bills, will they keep that customer data safe? This is a question any business should ask as data breaches become a prominent and growing problem, affecting billions of people each year.
If yours is a small business, don’t think it won’t be a target. Most small business owners think that criminals target larger companies, but small businesses also lose thousands of dollars to cybercrime. In fact, small businesses are probably easier targets because they often devote less time and money to protecting their data.
Before you contract with a third-party company to process and mail your billing, here are some questions you should ask and things you should think about.
Is the company up-to-date on data security issues and how to address them?
Before you hand over customer information, evaluate your transactional partner’s processes and security measures. Look for signs it keeps up with the latest in how to safeguard data and has taken visible steps to do so. Does the company require security clearance for data processing areas? Does it use security cameras? How does it handle building access? Can the IT staff explain the software protections it has chosen and installed on its computer system? At Bluegrass, a team that includes IT, transactional, operations and human resources meets every week to talk about security issues. Each discussion may cover topics like building access, HIPAA compliance, software needs and upgrades, and staff training. It helps keep us all better informed as we share knowledge and information and the discussions often result in new security measures and protocols.
How much focus is placed on staff training?
Businesses have become better at locking down their computer systems to thwart hackers, but cybercriminals always find new ways to steal information. Their best, unintentional allies are employees who might open suspicious emails and click on attachments that then send viruses racing through a computer system. Ninety-one percent of cyber attacks start with these “phishing” emails. The Small Business Administration recommends that businesses establish policies on how personal information is handled and outline the consequences for not following these cybersecurity policies. Ask your transactional partner if they have such policies and procedures in place.
By the way, the Small Business Administration has good resources for improving cybersecurity on its website.
Is encryption used to protect your information?
Your provider should ask if you want your data encrypted as it is used in the billing preparation process. Some companies want their data encrypted throughout the process, and it can be difficult for some transactional vendors to do this. We use software that keeps data encrypted the entire time we use it. This layer of security is offered as an option to every client, but some decline to use it. When they do, we require that they sign a waiver stating that they understand the hazards of not doing so. I always recommend that clients use it, by the way. But it is up to the client to decide the level of protection they believe their data needs and to make sure their transactional partner provides it.
Is the transactional company HIPAA compliant?
For hospitals, insurers and others who handle patient health-related information, this is of utmost concern. HIPAA (Health Insurance Portability and Accountability Act) mandates that electronic medical records and a patient’s health information remain private and confidential. Companies that use patient medical records to prepare transactional mailings like bills and invoices must ensure that their third-party provider is HIPAA compliant. Note that it is compliance, not certification.
Ask about breaches.
I don’t think a potential client has ever asked if we have had a data breach- for the record, we haven’t. But it is a fair question and one that you should ask before you hand over customer data to a third party.
Do they have a Plan B?
It’s always good to know about a supplier’s ability to continue to do business if they are faced with an emergency, like a power outage or a computer system failure. Ask them to describe measures they have taken–from generators to off-site records to facility sharing agreements with similar businesses–to keep their business running in emergency situations.
Do they see themselves as a consulting partner?
A transactional company that is up on the latest security threats and the best practices to follow to prevent cybercrime will want to share that information with its clients. They realize that by educating clients, they cut down on cyber crimes. They also realize that it can be difficult for smaller companies to keep up with threats and the various measures that can be taken to thwart hackers. Look for a transactional partner who will alert you when they notice that your company is vulnerable to a cyber attack. For example, although we always educate our clients in safe ways to send us data, occasionally someone at a client’s office will send a data file by email. They might be new to the staff or they perhaps simply forgot to use the secure FTP site we provide to our clients. We immediately delete the emailed file and remind the client of the importance of using secure means to share information.
Look for a transactional company that keeps you on the forefront of data security. You want to work with a company that has your company’s best interests at heart.
We’re always happy to talk about what we’re doing to protect our clients’ data and show people around our facility. Give us a call if you’d like to schedule an appointment.