One of the ways outsourcing providers like QXAS deliver their services is by obtaining remote access to their client’s computer systems. It avoids the need for client data to leave the UK together with the associated responsibilities imposed on the firm by the Data Protection Act.
Granting a third-party provider access to your firm's systems can still be a security risk. Even if access is provided for a legitimate business purpose like outsourcing, it must be strictly controlled.
Providing system access to another company lowers your firm’s security level to that of the other company – in effect they become your systems weakest link. If a hacker compromises their system, they have the potential to use this as a backdoor into your network.
Before you give access to an outsourcing partner, you must conduct a thorough risk assessment. Consider an onsite visit to their facilities, particularly their data centres and any other locations housing IT and network infrastructure. Make sure they meet recognised security standards such as ISO 27001:2013 and adhere to a quality management standard.
Third parties should only have access to a segment of your network that is required for them to perform their services which ideally should be separated from the internal network by firewalls or an isolated subnet. Access should be restricted to the third-parties specific IP address, limited to a restricted time period and of course closely monitored.
The following link and video will help you understand QX’s approach to cyber securitywww.qxas.co.uk/about-qxas/information-security and help you determine the standard you should expect from any outsourcing partner.
My name is Vishal Kurani, the author of the QXAS blog and I appreciate you stopping by! I help accountants gain Accounts Outsourcing knowledge through my easy to follow blogs and guides. Download my free guide "The Accountants Guide to Making Payroll Profitable" to learn how to make payroll profitable for your accountancy practice.