How to turn the new Privacy Act into fresh revenue

By on
How to turn the new Privacy Act into fresh revenue

This March marked the most sweeping changes of Australia’s privacy laws in recent memory. If an organisation turning over more than $3 million is found to be in breach of the Australian Privacy Principles (APPs), it can face fines up to $1.7 million. The risks are high – and so are the opportunities.

Resellers and MSPs are being told to capitalise on the changes, from consultancy around helping client comply with the APPs to deploying security technology to protect client data. CRN invited a selection of security experts to a roundtable lunch to discuss this timely topic.

It was a dynamic and high-level conversation that identified the opportunities – but also the risks that managed service providers may face in handling user data. 

ATTENDEES

  • Chris Munro Kiandra IT
  • Andres Schmid McAfee Sponsor
  • John Reeman Symantec Sponsor
  • Lyncoln de Mello Brennan IT
  • Romain Rallu Bridge Point
  • Declan Ingram Datacom TSS
  • Martin Choluj Loop Technology
  • Daad Soufi Association for Data-driven Marketing and Advertising (ADMA)
  • Chris Gatford Hacklabs
  • Nick Verykios Distribution Central Sponsor
  • Ronnie Altit Insentra
  • Steven Kiernan CRN

CRN: How ready are organisations for the new Privacy Act?

Declan Ingram, Datacom TSS 
It differs quite a lot. The most immediate problem for businesses is to know where this stuff is. That can be very challenging, especially if you’ve got a business that’s been operating for a long period of time with lots of basic systems. The business might have all sorts of information that’s been gathered from competitions or campaigns or bits and pieces from old customers. If you’re using legacy systems with information repositories that were archived or hived off, how do you get access to that?

Chris Gatford, HackLabs  Most of the organisations that have issues are quite small and the Privacy Act is probably one of the last things they considered when they were collecting client information. Declan’s quite right, a lot of this information sits in legacy systems, and it’s quite hard for organisations to understand where the data is, so it’s going to be poorly managed. 

Martin Choluj, Loop Technology

I actually disagree with Chris. I think that a lot of the larger organisations actually have significant issues with compliance to the Privacy Act because of the sheers amount of information they have. Obviously, smaller companies have issues funding Privacy Act readiness or putting controls in place to better prepare, but we’ve consulted with very large Australian businesses that have significant issues because of the complexity and the size of the organisations.

We’ve actually seen a lot of issues around third parties and service providers and the sort of due diligence process companies have gone through – or not – to assess those service providers. 

CRN: If an organisation wants to check its compliance with the new Act, where can they start?

Daad Soufi, ADMA  We try not to use the words ‘due diligence’ because that seems quite scary and expensive, but essentially every organisation needs to do just that in order to start to address their obligations under the Australian Privacy Principles (APPs).

Just thinking about your data handling practices is novel at the moment. And I think it’s only novel because of the strength that’s been given to the Privacy Commissioner in its new regulatory powers. 

They’re basically stepping up to be a regulator with the same strength and supervision as some of the other regulators like ASIC and the ACCC. They won’t be as big, but certainly the powers are creeping up.

Nick Verykios, Distribution Central

We’ve been speaking to a lot of our resellers in preparation for all this. What drives us nuts is that you do not solve security problems by solving a compliance problem. That’s the big error. At a commercial level, the excitement – if you want to call it that – has come through the magnitude of the fine. However, that’s a beautiful yellow brick road into your customer to be able to say, ‘Well I’m here to actually solve that big fat security problem’.

CRN: How can managed service providers (MSPs) package up data audits as a revenue stream?

Lyncoln De Mello, Brennan IT

Because we are a service provider and we do operate at the nuts and bolts and behind the customer systems, most of the time the data sits in our systems so there is a perception, maybe, of a conflict of interest. So we partner with a third party, Loop Technology, for the consulting piece.

A proportion of Loop’s recommendations are actually related to technology solutions, but the rest of it is all around process and governance and where the gaps are, so it’s not a case of, “We’ll do this then sell more data-loss prevention (DLP) solutions, or sell more anti-virus and patching services”. 

It’s not just about that, but some of it has to be about that, and that’s where our interest also lies.

Chris Munro, Kiandra IT  The technology discussion – which is where we typically play – is only part of the issue. Technology can’t prevent a hack or a breach, but you can certainly make it a lot more difficult by setting up all the controls and policies and procedures in place. 

One of the things we’ve also encountered is that there is a bit of fear mongering going around as well. So we’re kind of conscious as not coming across as all Y2K “privacy is all going to fall apart”.

CRN: John, you were in the UK when their Privacy Laws came into play. What kind of opportunities did you see for resellers?

John Reeman, Symantec  The UK has much stronger privacy principles than here, as does the EU. I was working for a reseller in the UK when those legislation controls were brought in. What I saw was that there was an opportunity for channel resellers. 

Maybe not to make a killing, but certainly start to promote better services around reducing risk in organisations.

CRN: Can someone outline examples of the ways in which data can be breached?

Andres Schmid, McAfee  Insiders do it by accident – they might send an email message outside that contains an attached Excel spreadsheet with customer names and customer information. They didn’t want to do that, they just picked the wrong email address from their Outlook mailbox or something like that. That’s the normal case. 

It also has to do with people just not being aware that this is an issue. Some people send confidential data to their private email accounts, their Google accounts or whatever, to work on those reports over the weekend, and in that way the data is exposed. 

Then you have malicious people in an organisation. Often times we see that when there are layoffs happening, a lot of people try to take some data with them that they might want to use in their new job. 

Then last but not least, there is the issue around data breaches where you see attackers from outside the organisation making a targeted attack and going in and extracting the information.

Ronnie Altit, Insentra  With the onset of data now being stored in the cloud, what becomes the responsibility of the managed services provider and what becomes the responsibility of the client? 

If it’s an outsourced service – we’re housing your mail, your files, all the rest of it – and if the outsourcer gets breached, I think all hell’s going to break loose.

We’re spending all our time on the channel side, talking about how we can fix this for the customers. But with respect to those around the table, “Plumber’s pipes are always leaking”. 

I’m not an MSP, but I’m curious to know whether MSPs are taking the same level of due diligence for their own environments that they’re suggesting to end user organisations.

CRN: Good question. Daad, what’s the legal position around outsourced providers?

Daad Soufi  If you’re housing data on the cloud or actually sending it offshore to be disclosed and used by organisations offshore, whether or not you’re responsible is a matter of effective control and how much control you actually have over that data.

Generally speaking, if it’s only being managed and housed in the cloud and if you’ve still got effective control and it’s only there for day-to-day management for storage purposes, then as long as your contracts are sufficiently tight, you should be OK. As soon as you start falling outside of that and there is a door open for other organisations in other jurisdictions to access that data, then your accountability kicks in in terms of should something go wrong then you are responsible, even though you may have a contract in place.

Ronnie Altit  So if I’ve got my data stored in someone else’s data centre, and they’re looking after it for me, and I’ve done the due diligence, then they’ve proven to me that they’ve got the necessary security, then something changes in their environment, as it does every week, and there’s a hole created in their security – who’s responsible?

Daad Soufi  You’re probably still going to be responsible as the data collector.

Ronnie Altit  Which person, the owner of the data or the cloud provider?

Daad Soufi  No, you as the owner.

Ronnie Altit That’s then a significant business risk to MSPs if end user organisations stop and pick that up, that “I’m [the customer] going to put something out there, but no matter what they [the MSP] do, I’m still responsible.” 

Martin Choluj  If I could just go back to one point I made earlier on this whole privacy mess. It’s an issue for service providers, and it’s also an opportunity for them to actually develop new services they can offer to their clients to provide better service from a security perspective. I don’t see that as an issue. I see that as an opportunity for developing a service that offers things they might not necessarily be offering today.

If I was a service provider, I would try to build a service that I can take to the market and say that I can actually somehow prove my compliance and prove my readiness for offering a secure service to my clients, otherwise you’ll be playing a catch-up game.

Next: How vendors can help

CRN: How can vendors help with all of this?

John Reeman As an example, we have been working with Fujitsu at a number of events to get the awareness out to their customer base of what the Act means and what they need to do to get ready. Then we’ve been enabling Fujitsu to be able to go out and deliver that first engagement, through a pre-sales process to make those organisations aware. Then there’s a strategy around how to mitigate the risk, not just to meet the data privacy requirements, but to reduce risk across the entire enterprise around data privacy. We do that by providing them with our collateral, our IP and knowledge that we’ve used over the last 10 years around doing a risk-based approach on a business level: the processes that are in place, as well as any underlying technology. 

Let’s face it, most of this isn’t about technology – it’s about educating the organisation as a whole from the top down.

Then there’s technology behind that. We spoke around things like data loss prevention. If you take DLP, most DLP is not technology. Ninety percent is about how you respond and handle incidents. 

That’s the kind of messaging that we’ve been driving. If you get the right frameworks in place for those policies to be then able to mediate and educate your workforce, then the technology is going to be effective, but not a be-all and end-all.

CRN: How about McAfee?

Andres Schmid  On the awareness, we do that with various collateral: brochures, people, graphics, you name it, just to bring that aware-ness. I think awareness is still a bit lacking in the SMB space, whereas the enterprise customers are very well aware. 

Some of our larger customers operate under the assumption that they have already been breached. That is not in question any more – when or will it happen. They operate under the assumption that it has happened, and they need to find out now what does it mean to them and how to mitigate those risks.

Ronnie Altit  I’m curious to know how many people are actually having success in getting customers to do something?

Romain Rallu, Bridge Point As with any sales, it depends on the approach that you have. Our business obviously is to sell product, but we have a consultancy arm just like Loop has, and when you are in the consultancy space and you become their trusted adviser, this is when you can convert them from “I’m interested” to “Here’s the PO [purchase order]”.

Nick Verykios  I think the answer, Ronnie, is “very low” because most people are, in the real world, under-insured. But if you’ve got an asset to protect, you’re over-insured. So it’s a matter of, “Do they have an asset to protect?” If they have an asset to protect, then there is no sell required – it’s a matter of “technology solves that issue”. But most people don’t see their data as an asset to protect. 

CRN: If the customer was to say, “Sign me up, I’ll have the works” – which we’d all love – what would that technology be? 

Chris Munro  You’ve got the standards, like AV [anti-virus] and DLP and IPS [intrusion prevention systems] and all these other things, but a holistic approach is required. It’s probably difficult to pin down exactly, for an organisation, what are all the technologies you need. I’d probably be calling Nick up and saying, “Back the truck up, we’ve got a live one”. It’s always a multi-faceted approach.

Declan Ingram  If you create a matrix of all the technology that’s rolled off around IPS and AV and firewalls and all that sort of stuff, and then you looked at it in terms of where your information assets actually live in real life, they’re all up there in the data. An IPS that’s looking for specific network-level attacks is not really where you have to be focused. In terms of what specific controls are needed, it’s specific controls that can look at the data. An IPS is not going to know the difference between someone sending themselves a spreadsheet of all of your customers details, or accidentally or deliberately sending it to someone else.

CRN: Would you like to see the Privacy Commissioner come out and come out hard to really get people moving on this?

Romain Rallu  Yes, absolutely. 

Nick Verykios  A customer is not going to give a damn unless he realises that he has a problem and that problem can be solved through technology and the services associated to it. The best thing that ever happened to the security industry was the ethical hack because it showed people what is already happening to them that they didn’t realise, and suddenly things like money started getting spent.

The smartest thing the Commissioner could do would be to choose their ethical hackers and do a mandatory assessment of every business. Wouldn’t that be wonderful?

Chris Gatford  Nick for government!

Declan Ingram  I’ll go with that.

Chris Gatford  Something I’ve seen many times is that we sit on tons of vulnerabilities that effect hundreds of thousands, perhaps millions of Australian citizens, and I cannot get the vendor to fix the vulnerability. I have no leverage. I have the customer who knows about the vulnerability, I have the vendor who made the software and I’m sitting here telling them, “You need to fix this, thousands of Australians’ information is exposed”.

I’ve got one banking vendor who refuses to fix a vulnerability until the customer will pay for an upgrade where the fix is included. Trying to charge the customer for a critical security breach – it’s craziness. 

CRN: How do you expect the Privacy Commissioner to start engaging with organisations?

Daad Soufi  [Privacy Commissioner Timothy Pilgrim] has been very clear in his intentions about how he’s going to use his new powers. I honestly shared the same view as everyone else around the table.

[However] Senator Brandis has put forward a media release that he’s asking the Privacy Commissioner to take a light-touch approach, because they want to make sure that privacy compliance isn’t a burden for industry. So I think there’s probably a clear message in the Privacy Commissioner’s office, knowing that a lot of organisations aren’t ready. 

I don’t think that’s on the agenda of the Liberal government. The Liberal government has a “reduction in red tape” agenda.

CRN: What else do you expect to see once the Act comes into play?

Lyncoln de Mello  There are habits that need to be incorporated into day-to-day behaviour. Things like putting passwords on files that are zipped with customers’ data, that kind of thing. That will take a little while, but that’s what needs to propagate through. 

There’s a big piece of this that is missing. People keep talking about “Compliance with the Privacy Act”. What compliance? What certification? 

Martin Choluj The problem we’re facing is business, for some reason, believes we can achieve a level of compliance, that they could be  compliant with an Act or legislation, which as Lyncoln rightly said is not possible. Security is not a yes or no. It’s not black and white. There’s a lot of grey happening in security. 

I don’t necessarily believe that there’s going to be a standard which is a yes-no checklist. It’s going to be reasonable steps I’ve taken to secure this information internally and externally in my business. 

Multi page
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:
privacy act security

Partner Content

Tech For Good program gives purpose and strong business outcomes
Tech For Good program gives purpose and strong business outcomes
Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Kaseya Dattocon APAC 2024 is Back
Kaseya Dattocon APAC 2024 is Back
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program

Sponsored Whitepapers

Easing the burden of Microsoft CSP management
Easing the burden of Microsoft CSP management
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

Australian MSP Index launched

Australian MSP Index launched
Ingram Micro Ushers in the Age of Ultra

Ingram Micro Ushers in the Age of Ultra
Announcing Pipeline 2025 tickets, theme & initial speakers

Announcing Pipeline 2025 tickets, theme & initial speakers
Vic gov to spend $100m on cyber security

Vic gov to spend $100m on cyber security

Log in

Email:
Password:
  |  Forgot your password?