Story image

How MSSPs must protect data in the breach disclosure era

06 Aug 2018

Article by StorageCraft APAC sales head Marina Brook

Australia’s new mandatory data breach disclosure laws which came into force in February have a particular impact on IT service providers that offer data hosting services to their customers.

The legislation requires businesses and government agencies to report on data breach incidents.

This helps to protect individuals and businesses from the unintended consequences of having their private data exposed.

The sooner a victim is notified of a data breach, the sooner action can be taken to lessen the harm.

Since IT and Managed Service Providers (MSPs) host sensitive information on behalf of clients, who might be individuals or other businesses, the new requirements affect their core operations.

The new legislation establishes requirements for entities in responding to data breaches.

The Office of the Australian Information Commissioner (OAIC) has clear requirements for reporting a notifiable breach.  

It is imperative that managed security service providers (MSPs) develop strategies to prevent data breaches from occurring, and a contingency plan for a notifiable breach likely to result in serious harm to a person or organisation.

What does this mean for MSSPs?

Essentially any organisation storing customers’ personal information will need to show that certain measures have been established to protect and secure information.

Since MSPs build their businesses on storing third-party information, the NDB scheme is a major issue for them.

Failure to implement a data breach response plan and to show that appropriate steps have been taken in the event of a breach could result in heavy fines and a potential inquest by the Australian Information Commission.

StorageCraft A/NZ technical services director Jack Alsop says breach disclosure laws add a level of accountability for organisations already bound by compliance regulations.

“Data retention requirements, operational business continuity and now breach disclosure requirements dictate an end-to-end data protection strategy and architecture for MSPs,” Alsop says.

“Unfortunately, data security and data protection strategies still tend to be separate.”

Compounding the data security equation, the European Union’s General Data Protection (GDPR) regulations came into force in Australia and New Zealand on May 25.

The GDPR introduces substantial changes to data protection law.

Any company (regardless of geographic location) that is processing the personal data of individuals in the European Union will need to comply with the regulation.

The penalties for non-compliance can be upward of four percent of a company’s global turnover.

In spite of guidelines from the OAIC, there have been reports in Australia’s business media of confusion and lack of understanding among vendors and stakeholders involved.

NDB Obligations

In most cases, Australian IT service providers and MSPs are entities covered by the NDB scheme, so they need to be prepared for the new requirements.

For the average service provider, the new laws will mandate new processes for dealing with the change.

They must ensure that appropriate change management is in place to inform staff and respond in the event of a breach.

Alsop says the changes offer significant opportunities for MSPs to improve their internal data protection services, to better secure the data and prevent breaches.

“Breaches of sensitive information often involve access to data stored somewhere, like a backup,” he says.

“If this data is secure, the chance of a breach is dramatically reduced.”

Tips for MSSPs

  • Understand. Know your exposure to data breaches and mandatory disclosure. Not all companies are required to disclose a breach, although most mid-sized IT and MSPs will fall into the category.
  • Prevent. Develop a comprehensive security and data protection strategy to prevent a breach before you need to disclose it.
  • Encrypt. Encrypt data wherever possible. Breached encrypted data can still be decrypted somehow, but attackers are likely to focus on an easier target.
  • Plan. Develop a response plan that is compliant with the NDB scheme. Any company can be breached so make sure you have a plan in place to deal with it if it does happen. And pretending it will not happen is not an option.
  • Business continuity. A data breach (or malware attack) can be very damaging to your business and, therefore, your customers’ businesses. You need an end-to-end DR and business continuity strategy to ensure the business can continue on while a breach is notified. 
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
Developing APAC countries most vulnerable to malware - Microsoft
“As cyberattacks continue to increase in frequency and sophistication, understanding prevalent cyberthreats and how to limit their impact has become an imperative.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.