Story image

How MSSPs must protect data in the breach disclosure era

06 Aug 18

Article by StorageCraft APAC sales head Marina Brook

Australia’s new mandatory data breach disclosure laws which came into force in February have a particular impact on IT service providers that offer data hosting services to their customers.

The legislation requires businesses and government agencies to report on data breach incidents.

This helps to protect individuals and businesses from the unintended consequences of having their private data exposed.

The sooner a victim is notified of a data breach, the sooner action can be taken to lessen the harm.

Since IT and Managed Service Providers (MSPs) host sensitive information on behalf of clients, who might be individuals or other businesses, the new requirements affect their core operations.

The new legislation establishes requirements for entities in responding to data breaches.

The Office of the Australian Information Commissioner (OAIC) has clear requirements for reporting a notifiable breach.  

It is imperative that managed security service providers (MSPs) develop strategies to prevent data breaches from occurring, and a contingency plan for a notifiable breach likely to result in serious harm to a person or organisation.

What does this mean for MSSPs?

Essentially any organisation storing customers’ personal information will need to show that certain measures have been established to protect and secure information.

Since MSPs build their businesses on storing third-party information, the NDB scheme is a major issue for them.

Failure to implement a data breach response plan and to show that appropriate steps have been taken in the event of a breach could result in heavy fines and a potential inquest by the Australian Information Commission.

StorageCraft A/NZ technical services director Jack Alsop says breach disclosure laws add a level of accountability for organisations already bound by compliance regulations.

“Data retention requirements, operational business continuity and now breach disclosure requirements dictate an end-to-end data protection strategy and architecture for MSPs,” Alsop says.

“Unfortunately, data security and data protection strategies still tend to be separate.”

Compounding the data security equation, the European Union’s General Data Protection (GDPR) regulations came into force in Australia and New Zealand on May 25.

The GDPR introduces substantial changes to data protection law.

Any company (regardless of geographic location) that is processing the personal data of individuals in the European Union will need to comply with the regulation.

The penalties for non-compliance can be upward of four percent of a company’s global turnover.

In spite of guidelines from the OAIC, there have been reports in Australia’s business media of confusion and lack of understanding among vendors and stakeholders involved.

NDB Obligations

In most cases, Australian IT service providers and MSPs are entities covered by the NDB scheme, so they need to be prepared for the new requirements.

For the average service provider, the new laws will mandate new processes for dealing with the change.

They must ensure that appropriate change management is in place to inform staff and respond in the event of a breach.

Alsop says the changes offer significant opportunities for MSPs to improve their internal data protection services, to better secure the data and prevent breaches.

“Breaches of sensitive information often involve access to data stored somewhere, like a backup,” he says.

“If this data is secure, the chance of a breach is dramatically reduced.”

Tips for MSSPs

  • Understand. Know your exposure to data breaches and mandatory disclosure. Not all companies are required to disclose a breach, although most mid-sized IT and MSPs will fall into the category.
  • Prevent. Develop a comprehensive security and data protection strategy to prevent a breach before you need to disclose it.
  • Encrypt. Encrypt data wherever possible. Breached encrypted data can still be decrypted somehow, but attackers are likely to focus on an easier target.
  • Plan. Develop a response plan that is compliant with the NDB scheme. Any company can be breached so make sure you have a plan in place to deal with it if it does happen. And pretending it will not happen is not an option.
  • Business continuity. A data breach (or malware attack) can be very damaging to your business and, therefore, your customers’ businesses. You need an end-to-end DR and business continuity strategy to ensure the business can continue on while a breach is notified. 
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.