This March marked the most sweeping changes of Australia’s privacy laws in recent memory. If an organisation turning over more than $3 million is found to be in breach of the Australian Privacy Principles (APPs), it can face fines up to $1.7 million. The risks are high – and so are the opportunities.
Resellers and MSPs are being told to capitalise on the changes, from consultancy around helping client comply with the APPs to deploying security technology to protect client data. CRN invited a selection of security experts to a roundtable lunch to discuss this timely topic.
It was a dynamic and high-level conversation that identified the opportunities – but also the risks that managed service providers may face in handling user data.
ATTENDEES
- Chris Munro Kiandra IT
- Andres Schmid McAfee Sponsor
- John Reeman Symantec Sponsor
- Lyncoln de Mello Brennan IT
- Romain Rallu Bridge Point
- Declan Ingram Datacom TSS
- Martin Choluj Loop Technology
- Daad Soufi Association for Data-driven Marketing and Advertising (ADMA)
- Chris Gatford Hacklabs
- Nick Verykios Distribution Central Sponsor
- Ronnie Altit Insentra
- Steven Kiernan CRN
CRN: How ready are organisations for the new Privacy Act?
Declan Ingram, Datacom TSS
It differs quite a lot. The most immediate problem for businesses is to know where this stuff is. That can be very challenging, especially if you’ve got a business that’s been operating for a long period of time with lots of basic systems. The business might have all sorts of information that’s been gathered from competitions or campaigns or bits and pieces from old customers. If you’re using legacy systems with information repositories that were archived or hived off, how do you get access to that?
Chris Gatford, HackLabs Most of the organisations that have issues are quite small and the Privacy Act is probably one of the last things they considered when they were collecting client information. Declan’s quite right, a lot of this information sits in legacy systems, and it’s quite hard for organisations to understand where the data is, so it’s going to be poorly managed.
Martin Choluj, Loop Technology
I actually disagree with Chris. I think that a lot of the larger organisations actually have significant issues with compliance to the Privacy Act because of the sheers amount of information they have. Obviously, smaller companies have issues funding Privacy Act readiness or putting controls in place to better prepare, but we’ve consulted with very large Australian businesses that have significant issues because of the complexity and the size of the organisations.
We’ve actually seen a lot of issues around third parties and service providers and the sort of due diligence process companies have gone through – or not – to assess those service providers.
CRN: If an organisation wants to check its compliance with the new Act, where can they start?
Daad Soufi, ADMA We try not to use the words ‘due diligence’ because that seems quite scary and expensive, but essentially every organisation needs to do just that in order to start to address their obligations under the Australian Privacy Principles (APPs).
Just thinking about your data handling practices is novel at the moment. And I think it’s only novel because of the strength that’s been given to the Privacy Commissioner in its new regulatory powers.
They’re basically stepping up to be a regulator with the same strength and supervision as some of the other regulators like ASIC and the ACCC. They won’t be as big, but certainly the powers are creeping up.
Nick Verykios, Distribution Central
We’ve been speaking to a lot of our resellers in preparation for all this. What drives us nuts is that you do not solve security problems by solving a compliance problem. That’s the big error. At a commercial level, the excitement – if you want to call it that – has come through the magnitude of the fine. However, that’s a beautiful yellow brick road into your customer to be able to say, ‘Well I’m here to actually solve that big fat security problem’.
CRN: How can managed service providers (MSPs) package up data audits as a revenue stream?
Lyncoln De Mello, Brennan IT
Because we are a service provider and we do operate at the nuts and bolts and behind the customer systems, most of the time the data sits in our systems so there is a perception, maybe, of a conflict of interest. So we partner with a third party, Loop Technology, for the consulting piece.
A proportion of Loop’s recommendations are actually related to technology solutions, but the rest of it is all around process and governance and where the gaps are, so it’s not a case of, “We’ll do this then sell more data-loss prevention (DLP) solutions, or sell more anti-virus and patching services”.
It’s not just about that, but some of it has to be about that, and that’s where our interest also lies.
Chris Munro, Kiandra IT The technology discussion – which is where we typically play – is only part of the issue. Technology can’t prevent a hack or a breach, but you can certainly make it a lot more difficult by setting up all the controls and policies and procedures in place.
One of the things we’ve also encountered is that there is a bit of fear mongering going around as well. So we’re kind of conscious as not coming across as all Y2K “privacy is all going to fall apart”.
CRN: John, you were in the UK when their Privacy Laws came into play. What kind of opportunities did you see for resellers?
John Reeman, Symantec The UK has much stronger privacy principles than here, as does the EU. I was working for a reseller in the UK when those legislation controls were brought in. What I saw was that there was an opportunity for channel resellers.
Maybe not to make a killing, but certainly start to promote better services around reducing risk in organisations.
CRN: Can someone outline examples of the ways in which data can be breached?
Andres Schmid, McAfee Insiders do it by accident – they might send an email message outside that contains an attached Excel spreadsheet with customer names and customer information. They didn’t want to do that, they just picked the wrong email address from their Outlook mailbox or something like that. That’s the normal case.
It also has to do with people just not being aware that this is an issue. Some people send confidential data to their private email accounts, their Google accounts or whatever, to work on those reports over the weekend, and in that way the data is exposed.
Then you have malicious people in an organisation. Often times we see that when there are layoffs happening, a lot of people try to take some data with them that they might want to use in their new job.
Then last but not least, there is the issue around data breaches where you see attackers from outside the organisation making a targeted attack and going in and extracting the information.
Ronnie Altit, Insentra With the onset of data now being stored in the cloud, what becomes the responsibility of the managed services provider and what becomes the responsibility of the client?
If it’s an outsourced service – we’re housing your mail, your files, all the rest of it – and if the outsourcer gets breached, I think all hell’s going to break loose.
We’re spending all our time on the channel side, talking about how we can fix this for the customers. But with respect to those around the table, “Plumber’s pipes are always leaking”.
I’m not an MSP, but I’m curious to know whether MSPs are taking the same level of due diligence for their own environments that they’re suggesting to end user organisations.
CRN: Good question. Daad, what’s the legal position around outsourced providers?
Daad Soufi If you’re housing data on the cloud or actually sending it offshore to be disclosed and used by organisations offshore, whether or not you’re responsible is a matter of effective control and how much control you actually have over that data.
Generally speaking, if it’s only being managed and housed in the cloud and if you’ve still got effective control and it’s only there for day-to-day management for storage purposes, then as long as your contracts are sufficiently tight, you should be OK. As soon as you start falling outside of that and there is a door open for other organisations in other jurisdictions to access that data, then your accountability kicks in in terms of should something go wrong then you are responsible, even though you may have a contract in place.
Ronnie Altit So if I’ve got my data stored in someone else’s data centre, and they’re looking after it for me, and I’ve done the due diligence, then they’ve proven to me that they’ve got the necessary security, then something changes in their environment, as it does every week, and there’s a hole created in their security – who’s responsible?
Daad Soufi You’re probably still going to be responsible as the data collector.
Ronnie Altit Which person, the owner of the data or the cloud provider?
Daad Soufi No, you as the owner.
Ronnie Altit That’s then a significant business risk to MSPs if end user organisations stop and pick that up, that “I’m [the customer] going to put something out there, but no matter what they [the MSP] do, I’m still responsible.”
Martin Choluj If I could just go back to one point I made earlier on this whole privacy mess. It’s an issue for service providers, and it’s also an opportunity for them to actually develop new services they can offer to their clients to provide better service from a security perspective. I don’t see that as an issue. I see that as an opportunity for developing a service that offers things they might not necessarily be offering today.
If I was a service provider, I would try to build a service that I can take to the market and say that I can actually somehow prove my compliance and prove my readiness for offering a secure service to my clients, otherwise you’ll be playing a catch-up game.
Next: How vendors can help
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
