Cybersecurity and Offshore Teams

Cybersecurity is arguably the biggest issue that accountants care about right now. Two recent breach stories we’ve shared internally include the “Miss Bitcoin” Deepfake Phishing Incident, and a McDonald’s “low effort password” breach that exposed millions of people’s personal data.

Good accountants wear the trusted advisor archetype like a badge of honour. They deal with sensitive financial and, in some cases, personal information. A breach is seen as a doomsday scenario.  

Imagine a patient with high blood pressure gets misdiagnosed by their doctor. With the wrong prescription, he then has a heart attack and ends up in the ICU. The doctor would be in the firing line and risk permanent reputational damage.

In the same way, a serious data breach could be career-ending for an accountant– at least that’s the fear in the back of their minds.

So, it’s reasonable they have questions about data security when it comes to setting up an offshore team.

What Cybersecurity Looks Like in Offshoring

Many questions are eliminated when you first understand the fundamental setup. The idea is this:

You will not be transferring your data to your offshore provider. Your offshore provider neither stores nor handles your data.

Confusion about the difference between offshoring and outsourcing catches people here. When you engage a BPO like Frontline, the staff will work under your supervision and on your systems. Whatever IT security you are running in your business, it will apply to your offshore team.

It means you retain control over your data.

And it eliminates a major category of potential risk. But there are still some things to look at… You are hiring someone in another country after all. What if they do the wrong thing? And what about hardware? (They will be using hardware that you don’t own).

Five Key Things to Consider

Let’s just run through some basic principles that any skilled IT support should be able to easily roll out.

1. Device Control
   For starters, staff don’t have admin rights, so they can’t install random apps. Any software downloads require IT approval. USB ports are disabled, and downloaded files are wiped off the machine overnight. Hard disks are encrypted. Antivirus software is installed and running in the background.
2. Password Discipline and MFA
   You could have the best security in place, but if a staff member (like the one at McDonald’s Head Office) uses the password: “123456” to access QuickBooks files, your data is exposed. Password manager solutions and Multi-Factor Authentication should be a base-level requirement.
3. Access Control
   Your offshore team doesn’t need access to everything. You can give them access based on role. If someone just needs to reconcile bank accounts, they don’t need full general ledger access. They shouldn’t need access to the full client database. Keep things clean and limited. That way, if something goes wrong, the damage is contained.
4. Monitoring and Logging
   When staff work from home, they have been given your trust to be productive and responsible. If ever trust is broken (i.e., Productivity is low), you may want to do further checks. Offshore providers can have keylogging software installed as an option.
5. Cyber Hygiene is Cultural
   At the end of the day, cybersecurity isn’t only about the technical controls. The culture and behaviour of your team all play a role. Do your staff know how to spot phishing? Are they trained on what not to click? Do they know how to set an appropriate password? Do they know what to do if something seems off? Accounting firms should be training staff and providing leadership on data protection.

There are other controls that have not been discussed here. Staff background checks, facility security, phone policies, and appropriate AI use are all examples. Your client’s data is as secure as the weakest link in your cyber environment.

And the weakest link certainly doesn’t need to be your offshore team!

Want to know more? Book a discovery call with us here.