Whether you are offshoring, outsourcing or employing virtual assistants (VAs), there are methods you can use to protect your business from cyber-attacks. The associated risks and strategies differ and are often confusing for companies seeking to arrive at the best option.

Recent high-profile cyber-attacks have increased awareness, questions and concerns for businesses with both onshore and offshore staff. Through a panel interview discussion with specialists in IT, cyber security, insurance and offshoring, we were able to ask some probing questions on the security implications for companies with offshore staff and uncover the nine most important things to consider when protecting your business from cyber-attack.

1. Human or employee error is undeniably the most common cyber risk for companies with onshore and/or offshore staff. If you are employing offshore, employees should have security awareness training provided by the offshore partner as part of their onboarding process. But one-off training is not enough; when you’re running cyber training for your Australian staff, you should include your offshore staff as well. It is essential for an offshore team to be treated in exactly the same way as a company’s onshore team, and not as some sort of disconnected overseas group of outsourced virtual assistants.

2. Multifactor authentication and a password manager. MFA is the first line of defence for offshoring and outsourcing operations and an absolute must; a password manager should be used for the creation and storage of strong and unique passwords.

3. A ban on using personal devices — whether your staff are onshore or offshore, they should not be providing their own computers to access company information. If virtual assistants are providing their own laptops, who checks the anti-virus software? Is it in place and being regularly updated? Do you check or just take their word for it? All staff members should be given a clean laptop that is loaded with company software and robust security software. For offshore staff, anti-virus software and updates must be monitored by the offshore provider; it should not be the responsibility of the staff member. Work devices must not be used for personal use.

4. Restricted permissions — as with onshore staff, your offshore staff should have restricted permissions set up on their devices so that they only have access to information that is required specifically for their role.

5. Employing an offshore staff member directly vs through an offshore partner — When looking to offshore, if you go direct, who does the background, medical and security checks? You may employ people with the right skills, but you still need a comprehensive check on background, employment history, ethics and values. Know who you are employing. For a small business, setting up and protecting IT equipment for offshore staff is time consuming, difficult and expensive. If you have an offshore provider, they will supply IT equipment and have robust policies and restrictions in place to secure the device to make sure the information is protected. Information stored on overseas computers breaches data and privacy regulations. Data should be stored directly on your company systems with nothing saved to the hard drive. Money laundering is another concern, if you are regularly transferring money overseas to someone and haven’t done background checks on that person, are you breaking anti-money laundering laws? You should also consider the views of the Australian Taxation Office over direct employment: are you providing super, work cover, are your employees insured and are you paying the award rates? A lot of smaller companies choose offshoring to save on expenses, but the cost saving is limited if they have to provide all the insurance and security for their offshore staff themselves. Small firms can benefit from working with offshore partners who have these policies in place and cover the time and expense of set-up — one less thing for small businesses to worry about and smoothing the path into offshoring.

6. Cyber policies and penetration testing is another recommended step for protecting your business from cyber-attack. Engaging the help of a cyber expert to set up policies and provide penetration testing will ensure you are aware of possible areas of risk.

7. Incident response — if there is a breach, do you have a response plan in place? Even with the best efforts in place to protect your IT systems, cyber-attacks can and will still occur, so being fully prepared can be your best line of defence. Having an incident response plan has become just as important as having protection and detection in place. An effective response plan can limit the damage, improve your recovery time and help safeguard your organisation.

8. Cyber Insurance is an emerging insurance class with rising business take-up. Because cyber risk is not going away, it is important to have a thorough, top-quality cyber insurance policy in place. There is no issue with onshoring or offshoring, it’s extremely agnostic. What’s important is that you speak to a specialist insurance broker to make sure you have the right policy in place and that you treat your offshoring team as you would your own.

9. “Expect the best, plan for the worst and prepare to be surprised,” advises Marty Haak, Director of Infinite Edge, computer and network security experts.

Panel discussion was held by Intogreat Solutions, an offshoring and consulting company – CEO and founder Adam Conrad has published a book “Is Offshoring Right for Us?” which can be ordered at www.intogreat.com.au

The full panel discussion can be viewed at

http://www.intogreat.com.au/media/protect-and-insure-your-business-against-cyber-attacks

Please reach out to Delia Mackenzie (dmackenzie@intogreat.com.au) if you would like to speak to any of the panelists