July 06, 2022
Outsourcing your billing to a third party to handle your accounts receivable mail? Follow these three risk management steps to make sure your clients’ data is safe and secure in someone else’s hands.
Security breaches make us all uneasy
Are you concerned about the security of your client’s data? You aren’t alone. Highly publicized security breaches like those suffered by Target, Adobe and Facebook make all of us uneasy about the vulnerability of confidential information that our clients and customers share with us.
As a business owner, you have a responsibility to protect your customer’s personal information, not only when that information is in your hands, but when you share that information with a third-party company, such as those you contract to handle your monthly billings or invoices. That’s why when you must carefully evaluate a third-party vendor before outsourcing your billing.
It’s not nearly as daunting as it sounds. Taking these three steps will significantly lower the chances of a data breach when outsourcing your accounts receivable mailings.
Step 1: Create a team of security advisers
Security solutions and services are a necessity in today's world. They must not only be implemented but continuously evaluated for effectiveness to ensure that they remain an integral part of your organization. Ensuring that your third-party accounts receivable vendor is up to speed in terms of data security is not a job for one person. Create a team that will evaluate potential vendors to find one that best suits your needs. Make sure your IT manager and chief financial officer are on the team.
Step 2: Take a tour
Are you based in or near the same city as your accounts receivable vendor? If so, have as many members of your team as possible tour their facility. Before your visit, talk to your team about what to watch for, including:
- Building access. Companies that are truly concerned about the security of their client’s records will limit access to their buildings and use cameras and video surveillance systems. Doors will be accessible only by key card or code and visitors will have to identify themselves and have business with the company to be given access. Visitors will be accompanied by a staff member at all times.
- A second layer of security. Companies that are on their toes will have a secured area for their data that can be accessed only by the employees who work in that area. Typically these areas have no external walls and are in the heart of a building, for added security.
- Professionalism. When you're looking for a company to partner with, it's important to get an idea of their professionalism and work ethic. Meeting the staff in person will give you the opportunity to ask probing questions and get a more candid sense of their experience and qualifications. You can also get a feel for how they interact with each other and their clients.
- Screening and hiring. It is always a good idea for companies to perform background checks on potential employees. This is especially important for positions that involve handling sensitive data. A criminal history check can help to identify any red flags, and a credit check can provide insights into an applicant's level of responsibility. Personal and professional references should also be checked in order to get a well-rounded picture of the applicant. By taking these precautions, companies can help to ensure that they are hiring responsible and trustworthy employees.
Step 3: Ask four critical questions about data security.
Whether your team meets your vendor in person or via Zoom, ask these questions:
- Do you have a written Data Security Plan that we can review? Data security encompasses every aspect including physical safety concerning hardware and storage devices as well administrative measures such as policies & procedures which you put in place to protect your data with good old-fashioned common-sense precautions. A data security plan also spells out steps to be taken if data security is breached.
A company that has not taken the time to write its data security plan is not serious about protecting your company’s information. A company’s data security plan should not be a static document. It must be revised frequently as technology and security change. Ask how often they review the data security plan. This might also be a good time to ask if the company has had any data security breaches in the past.
- How do you educate your employees about the importance of data security? As a business owner, you are responsible for ensuring the safety and security of your company's data. One of the most important ways to do this is to train your employees on data security. How are employees educated about the importance of following procedures to protect data?
Are workers allowed to download mobile applications on their work computers and devices? Mobile technology opens the door to many breaches. Do employees use strong passwords and do they understand the threats posed by phishing emails and downloading business data on their personal computing devices? There are many ways to ensure the safety of data, but it starts with the employees. If they are not properly trained on how to handle sensitive information, it could lead to a data breach.
- Do you have a data storage policy? A data storage policy governs how data is managed and controlled. It determines how data is collected and stored, what is kept for future use or for reference, when and how records are disposed of, and how records are organized so they can be accessed. Is there documentation of which data must be kept and what data can be deleted and stored for a certain amount of time? More data stored over a period of time increases security risk. When you discuss data storage, you must stipulate the requirements that your company will have for its data.
- Does your company use encryption? Encrypting data protects your information from criminals, competitors, hackers, and accidents. When your data is encrypted, the information is scrambled and turned into a code that can only be deciphered when it is unlocked with a special key. The key is only given to those who should have access to the information. Encryption is an easy, effective way to protect data. So safe that even the U.S. government uses encryption. If a third-party accounts receivable vendor isn’t up to speed in this area, this is a red flag.
Protection takes planning
Your customers are the future of your business. Protect them and their confidential information by being proactive about safeguarding their data when outsourcing your billing. Remember Winston Churchill’s advice:
“Those who fail to plan, plan to fail.”