sb-nz logo
Story image

How MSSPs must protect data in the breach disclosure era

06 Aug 2018

Article by StorageCraft APAC sales head Marina Brook

Australia’s new mandatory data breach disclosure laws which came into force in February have a particular impact on IT service providers that offer data hosting services to their customers.

The legislation requires businesses and government agencies to report on data breach incidents.

This helps to protect individuals and businesses from the unintended consequences of having their private data exposed.

The sooner a victim is notified of a data breach, the sooner action can be taken to lessen the harm.

Since IT and Managed Service Providers (MSPs) host sensitive information on behalf of clients, who might be individuals or other businesses, the new requirements affect their core operations.

The new legislation establishes requirements for entities in responding to data breaches.

The Office of the Australian Information Commissioner (OAIC) has clear requirements for reporting a notifiable breach.  

It is imperative that managed security service providers (MSPs) develop strategies to prevent data breaches from occurring, and a contingency plan for a notifiable breach likely to result in serious harm to a person or organisation.

What does this mean for MSSPs?

Essentially any organisation storing customers’ personal information will need to show that certain measures have been established to protect and secure information.

Since MSPs build their businesses on storing third-party information, the NDB scheme is a major issue for them.

Failure to implement a data breach response plan and to show that appropriate steps have been taken in the event of a breach could result in heavy fines and a potential inquest by the Australian Information Commission.

StorageCraft A/NZ technical services director Jack Alsop says breach disclosure laws add a level of accountability for organisations already bound by compliance regulations.

“Data retention requirements, operational business continuity and now breach disclosure requirements dictate an end-to-end data protection strategy and architecture for MSPs,” Alsop says.

“Unfortunately, data security and data protection strategies still tend to be separate.”

Compounding the data security equation, the European Union’s General Data Protection (GDPR) regulations came into force in Australia and New Zealand on May 25.

The GDPR introduces substantial changes to data protection law.

Any company (regardless of geographic location) that is processing the personal data of individuals in the European Union will need to comply with the regulation.

The penalties for non-compliance can be upward of four percent of a company’s global turnover.

In spite of guidelines from the OAIC, there have been reports in Australia’s business media of confusion and lack of understanding among vendors and stakeholders involved.

NDB Obligations

In most cases, Australian IT service providers and MSPs are entities covered by the NDB scheme, so they need to be prepared for the new requirements.

For the average service provider, the new laws will mandate new processes for dealing with the change.

They must ensure that appropriate change management is in place to inform staff and respond in the event of a breach.

Alsop says the changes offer significant opportunities for MSPs to improve their internal data protection services, to better secure the data and prevent breaches.

“Breaches of sensitive information often involve access to data stored somewhere, like a backup,” he says.

“If this data is secure, the chance of a breach is dramatically reduced.”

Tips for MSSPs

  • Understand. Know your exposure to data breaches and mandatory disclosure. Not all companies are required to disclose a breach, although most mid-sized IT and MSPs will fall into the category.
  • Prevent. Develop a comprehensive security and data protection strategy to prevent a breach before you need to disclose it.
  • Encrypt. Encrypt data wherever possible. Breached encrypted data can still be decrypted somehow, but attackers are likely to focus on an easier target.
  • Plan. Develop a response plan that is compliant with the NDB scheme. Any company can be breached so make sure you have a plan in place to deal with it if it does happen. And pretending it will not happen is not an option.
  • Business continuity. A data breach (or malware attack) can be very damaging to your business and, therefore, your customers’ businesses. You need an end-to-end DR and business continuity strategy to ensure the business can continue on while a breach is notified. 
Story image
BlackBerry, Microsoft enter partnership for Teams integration
"Integrating BlackBerry AtHoc will ensure that any organisation managing critical events using Teams is able to contact, alert, and account for everyone within the organisation directly."More
Story image
Majority of industrial enterprises face increase cyber threats since COVID-19
Leadership's top cyber security priority was implementing new technology solutions since the onset of the pandemic.More
Story image
Lumen launches managed security services for APAC market
The new service is designed to provide enterprise businesses with a proactive, connected security strategy to enhance threat detection and protection across endpoints. More
Story image
Why IT and HR must work together to help businesses weather the storm
Employers are striving to balance team productivity, security and employee engagement. If remote work is the new norm, it’s impossible to ignore the challenging nature of the situation, writes Gigamon manager for A/NZ George Tsoukas.More
Story image
Research: Younger cybersecurity pros more fearful of being replaced by AI
According to the findings, 53% of respondents under 45 years old either agreed or strongly agreed that AI and ML are a threat to their job security, despite 89% of this demographic believing that it would improve their jobs.More
Story image
Report reveals relationship between boardroom and cybersecurity investments
“While boards are definitely listening and stepping up with increased budget for cybersecurity, they tend to view any investment as a cost rather than adding business value."More