Story image

How MSSPs must protect data in the breach disclosure era

06 Aug 2018

Article by StorageCraft APAC sales head Marina Brook

Australia’s new mandatory data breach disclosure laws which came into force in February have a particular impact on IT service providers that offer data hosting services to their customers.

The legislation requires businesses and government agencies to report on data breach incidents.

This helps to protect individuals and businesses from the unintended consequences of having their private data exposed.

The sooner a victim is notified of a data breach, the sooner action can be taken to lessen the harm.

Since IT and Managed Service Providers (MSPs) host sensitive information on behalf of clients, who might be individuals or other businesses, the new requirements affect their core operations.

The new legislation establishes requirements for entities in responding to data breaches.

The Office of the Australian Information Commissioner (OAIC) has clear requirements for reporting a notifiable breach.  

It is imperative that managed security service providers (MSPs) develop strategies to prevent data breaches from occurring, and a contingency plan for a notifiable breach likely to result in serious harm to a person or organisation.

What does this mean for MSSPs?

Essentially any organisation storing customers’ personal information will need to show that certain measures have been established to protect and secure information.

Since MSPs build their businesses on storing third-party information, the NDB scheme is a major issue for them.

Failure to implement a data breach response plan and to show that appropriate steps have been taken in the event of a breach could result in heavy fines and a potential inquest by the Australian Information Commission.

StorageCraft A/NZ technical services director Jack Alsop says breach disclosure laws add a level of accountability for organisations already bound by compliance regulations.

“Data retention requirements, operational business continuity and now breach disclosure requirements dictate an end-to-end data protection strategy and architecture for MSPs,” Alsop says.

“Unfortunately, data security and data protection strategies still tend to be separate.”

Compounding the data security equation, the European Union’s General Data Protection (GDPR) regulations came into force in Australia and New Zealand on May 25.

The GDPR introduces substantial changes to data protection law.

Any company (regardless of geographic location) that is processing the personal data of individuals in the European Union will need to comply with the regulation.

The penalties for non-compliance can be upward of four percent of a company’s global turnover.

In spite of guidelines from the OAIC, there have been reports in Australia’s business media of confusion and lack of understanding among vendors and stakeholders involved.

NDB Obligations

In most cases, Australian IT service providers and MSPs are entities covered by the NDB scheme, so they need to be prepared for the new requirements.

For the average service provider, the new laws will mandate new processes for dealing with the change.

They must ensure that appropriate change management is in place to inform staff and respond in the event of a breach.

Alsop says the changes offer significant opportunities for MSPs to improve their internal data protection services, to better secure the data and prevent breaches.

“Breaches of sensitive information often involve access to data stored somewhere, like a backup,” he says.

“If this data is secure, the chance of a breach is dramatically reduced.”

Tips for MSSPs

  • Understand. Know your exposure to data breaches and mandatory disclosure. Not all companies are required to disclose a breach, although most mid-sized IT and MSPs will fall into the category.
  • Prevent. Develop a comprehensive security and data protection strategy to prevent a breach before you need to disclose it.
  • Encrypt. Encrypt data wherever possible. Breached encrypted data can still be decrypted somehow, but attackers are likely to focus on an easier target.
  • Plan. Develop a response plan that is compliant with the NDB scheme. Any company can be breached so make sure you have a plan in place to deal with it if it does happen. And pretending it will not happen is not an option.
  • Business continuity. A data breach (or malware attack) can be very damaging to your business and, therefore, your customers’ businesses. You need an end-to-end DR and business continuity strategy to ensure the business can continue on while a breach is notified. 
Microsoft appoints new commercial and partner business director
Bowden already has almost a decade of Microsoft relationship management experience under her belt, having joined the business in 2010.
Zoom’s new Rooms and Meetings features
Zoom has released information about the upcoming releases for its Rooms and Meeting offerings for 2019.
Aussie company set to democratise direct-to-orbit IoT access
Adelaide-based Myriota has released a developer toolkit that has been trialled and tested by a smart waste management platform.
Apple's AirPods now come with 'Hey Siri' functionality
The new AirPods come with a standard case or a Wireless Charging Case that holds additional charges for more than 24 hours of listening time.
Dynatrace takes pole position in APM Magic Quadrant
It placed highest on Ability to Execute and furthest on Completeness of Vision in the 2019 Quadrant for Application Performance Monitoring (APM).
HCL and Xerox expand strategic partnership
Under the terms of the agreement, HCL will manage portions of Xerox’s shared services, including global administrative and support functions.
Avaya expands integration with Google Cloud AI
This includes embedding Google’s machine learning within conversation services for the contact centre, enabling integration of AI capabilities.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.