Your master data is essential to the smooth operation of your business. But it is also valuable to others. Master data is vulnerable to both internal and external attacks. As the future of business and data is increasingly cloud-based, we explore five fundamentals to ensure the security of your data.
2. 1
One of the most important assets in your business is your data. Data, including your master
vendor data, contains information essential to the day-to-day running of your organization.
Without it, operations would come to a grinding halt.
However it’s not just valuable to you.
Master data can be a target, and it can be compromised in breaches, hacks, or data leaks
(intentional or unintentional). In the wrong hands, this information could expose you to
fraud; it could compromise sensitive business information; and it could seriously damage
your reputation with current and future customers, as well as with shareholders and the
business market at large.
As automation becomes more common in business in the form of cloud-based technology,
opportunities for data access increase. Thankfully, there are a number of precautions and
preparations well worth considering before putting your sensitive master data into the
cloud, which will help to make your transition much more secure.
There are many valid concerns when it
comes to data security
Master data contains a huge amount of
information that ensures your business is
able to operate. But in the wrong hands,
the possibilities are terrifying.
Your master data contains commercially
sensitive information about your business
and your suppliers. It includes which
suppliers you use, how much you spend
with them, when their contracts are up for
renewal and what their bank details are.
The information in your master data can
also lay the foundation for fraud that may
happen in downstream processes in, for
example, purchasing or payments.
Given the relatively easy access to
this sensitive data, it is surprising how
infrequently this data gets the protection it needs.
A 2016 sharedserviceslink survey shows that over
one-third, 34% of respondents, had an incident
of fraud in the last 5 years that could have been
prevented with better vendor master data control.
Regular checks and audits of your master data can go a
long way to mitigate these risks.
However many companies aren’t resourced to review
and audit master data and supplier vendor data on a
regular basis. Keeping on top of your supplier base for
irregularities or credits that may be owed to you is a
time-consuming task that often falls onto the shoulders
of an over-worked accounts payable team who have
other more pressing priorities.
In the wrong hands, master data
can be exploited:
• Exposing which suppliers you use, and
the exact amount you spend with them
could reveal commercially sensitive or
secret information.
• Fraudsters (internal or external) could
mimic existing suppliers, invoicing you
with realistic-looking, fake invoices.
• Bank details suppliers could be changed
to re-direct payments to a fraudster.
• Employee expenses can contain
sensitive and private information.
Have you had an incident of fraud
that could have been prevented
by better vendor master control?
34%
9%
57%
No
Yes, within the
last 10 years
Yes, within the
last 5 years
sharedserviceslink report: Get Proactive About
your Vendor Data, 2016
3. 2
The General Data Protection Regulation (GDPR) comes into effect on May 25th 2018. While it is
a European Union (EU) regulation, if you process data about individuals in the context of selling
goods or services to citizens in EU countries, then you will need to comply.
Key compliance elements include:
• Responding to data subjects’ requests about how their data is being used and requests to
remove data
• Notifying those affected by data breaches within 72 hours
• Clarified data consent policies
Non-compliance fines can be up to 4% of annual global turnover or 20 Million Euros, whichever
is greater. To remain compliant, organizations must demonstrate compliance, and that can be
done through enhancing data protection policies, staff training, internal audits and creating and
improving security features on an ongoing basis.
Third parties who specialize in auditing suppliers can help you manage these risks, and help
you drive credit recovery, but a critical success factor is understanding the level to which
these third parties will protect that data.
The future of data is in the cloud
In finance, as in businesses in general, the future is in the cloud. Any organization of a
certain scale will have some of their business-critical data in online tools and in the cloud.
Most finance automation tools today are much less likely to be installed on-premise. Rather,
they will be online and cloud-based. Cloud-based applications not only save on the capital
expenditure of installation, they are generally much easier to upgrade and deploy across
your global business. Lastly, they provide best in class security features.
Engage IT early in your search for providers
Even very traditional companies are entrusting their data to cloud-based providers. As with
any technology deployment, it’s important to engage your IT team early in the process, so
that you understand what they need to see from suppliers.
“I was under the impression that we managed the vendor statements internally and did
not miss any opportunities for recoveries. Once I started to review, I identified that 45%
of the vendors did not provide their statements.”
Ed Martinez, Former VP of Shared Services and Owner and Senior Advisor of EPM Services.
Getting IT and Finance on board with cloud technology
“Our IT team are inherently conservative, and understandably so, because we work with a
lot of client data, and we come from a banking background. So the concept [of moving finance
automation onto the cloud] was radical to some, but contemporary to others.
What helped us was IT had gone through a previous cloud implementation of a completely
different product outside of the finance arena, so that helped set the scene and set the comfort
level. We also worked well with our provider about the IT diligence. We were able to satisfy their
concerns and meet the thresholds our IT team were looking for.
I’d be stunned if any organization didn’t have some form of data going in and out of the business
somewhere in the processes they operate, so there has to be data standards to it.”
- Robert Bloor, Group Financial Controller, Equiniti
4. 3
Nearly every company has, or will have, some data online, sitting in cloud-based tools. When
it comes to implementation, it’s important to ensure the tools, access rules, controls, and
procedures satisfy both IT and Finance’s requirements early in the process, before the tender
has begun.
The cloud may be more secure than on-premise.
Many cloud-based service providers host data in secure, geographically separated,
nondescript data centers. They use technology like biometrics and 24 hour video
surveillance to prevent unauthorized access. On top of that, many leverage military-grade
encryption of the data they host.
These levels of security are impractical for most organizations on-premise. Many companies
appreciate that they need to guarantee a level of physically secure encryption that is
untenable for them to attain without partnering with a third party. A move to the cloud can
be motivated by the need to increase data security levels, but optimum data security is not
guaranteed or indeed offered by all third parties.
Your master data is important, but it’s also vulnerable. When you are using third
parties – particularly cloud-based third parties – what can you do to ensure it is secure?
Master data security: 5 fundamentals
There are some key requirements you should seek when it comes to protecting your master data.
1. Regularly audit your data and supplier information.
No matter how rigorous your processes are, it’s always good to have a third party come and look
over your shoulder every now and again.
While good processes can mitigate many risks, and keep the quality of your master data
high, auditing all of your supplier spend and looking for irregularities (such as duplicate
payments) can be extremely time-consuming. This is where third parties can add real value.
Audit recovery or vendor credit recovery firms can:
• Check data against databases to verify existing records
• Identify and red-flag any problematic suppliers
• Alert you to credits owed to you (such as duplicate payments, credit notes or rebates)
which can be a huge boost to your bottom line.
2. Have a strong user awareness program
User awareness is a first line of defense, and a culture of security is important, both internally and
with any third party you use.
For you, or any provider who works with your master data, it’s essential to have a strong user
awareness program in place for data security. Your IT team or subject matter experts may
know where fraud is likely to occur, but not everyone who interacts with your data will know
whether their actions are assisting or jeopardising your data controls.
Users who interact with data should be aware of how fraud is likely to occur. Some will need
education about the latest cyber threats, while others may need reminding not to trust an
inbound call to change bank account details.
Without a strong user awareness, data could be unknowingly compromised. It’s also
important to have a culture of openness. If someone is worried they did something wrong,
5. 4
or saw something suspicious, be sure to provide avenues for them to speak up, so you can
catch issues early on. Ask any third party you use what user awareness programs they have,
and if they can help you.
3. Ensure you and your providers have a security policy that keeps up with the
changing landscape
Your providers’ security policy should exceed your expectations.
Data security doesn’t happen through chance. It’s a result of stringent policies and rigorous
checks. Be sure to ask your service provider about their security policies and bring in your IT
team early on in the process to make sure their policies meet, or exceed your own IT due-
diligence testing.
Some key elements to understand:
• Who will be handling your information? Who from their organization has access to
your data, and what checks have they undergone (for example do they sign Non-
Disclosure Agreements?)
• What security checks do they have in place? Do they use penetration testing (testing
to find vulnerabilities and weaknesses in your security)?
• What is their data loss prevention plan?
4.Askwhichdatastorageproviderstheyuse
If you are using a Software-as-a-Service provider,
they are only as secure as their partners.
Most automation or SaaS providers will partner
with large data warehouses. Many use companies
like Amazon, Salesforce, Microsoft or Box to
manage data securely. If you are evaluating
providers, also evaluate who they partner with and
what controls they have in place.
• How will the data be encrypted?
• What access controls are in place?
• What back-up of data is done?
5. Data compliance checks:
Compliance documents are essential to ensure data
is being processed safely and securely, and that
regulators’ requirements are met.
Data compliance is a fast-moving landscape, and
you will want to check that your supplier is up to
the current standards.There is a huge amount of
documentation needed to be compliant – some of
the key certifications include SSAE-16 and US-EU Safe
Harbor. Also, be sure to ask what they are doing to
prepare for the General Data Protection Regulation
(GDPR) and how they can help you prepare.
Companies you can trust with your data will be
proud of their compliance standards, and should
share these with you openly.
Will third parties keep
your data safe?
Key questions to ask:
• What kind of penetration
testing do you do?
• Will you help us with our user
awareness program?
• Which storage providers do
you use? And what level of
security and encryption will
there be?
• What compliance checks do
you use (i.e SSAE-16, US-EU
Safe Harbor)?
• What is your Data Loss
Prevention Plan?
• How are you preparing for
the GDPR?
• Who in your organization
can access our data, and
what checks have they
undergone?