In a continuation of our Security Series, Superloop’s COO Andrew Lawrence takes a deeper look at security measures and actions for Australian businesses.
Globally, governments are increasing data privacy and improving data sovereignty practices in ways that will have far-reaching consequences. For example, even if you aren’t currently operating in a regulated environment, you might be affected because of what data you are collecting and how you are securing it.
It will become more important to consider how each department collects, processes and stores information. For example, service desk departments may not technically store or collect personal information, however service desk employees are often collecting incidental information to solve cases - such as taking screenshots, logging files and adding information to help request tickets for post-investigation work.
This kind of incidental data collection may include information captured from background screens, such as banking details, or desktop applications with corporate information. In this way, departments of organisations that do not typically fall under governance and data compliance legislation will need to identify whether they are potentially collecting sensitive and personal information.
Asking the right questions
Under the current era of digital information and tightened data security requirements, it can be difficult to identify where to start. While it is impossible to define what you don’t already know, asking the right questions is imperative.
In the past, data sovereignty and data protection fell under the remit of IT, as procurement for cloud computing was squarely under the CIO’s governance. However, we think these questions need to start from the top.
It’s vital that boards and directors, who are ultimately responsible for reputational risk, understand whether the organisation is at risk from information and data security exposure. At the end of the day, if something goes wrong, it will be them in the line of fire of customers and those enforcing the rules.
This starts with asking “where do we collect, store and process data?” The answer often lies with identifying cloud hosting providers and digging into their data practices. Even if the organisation is simply using web-based apps, boards and directors need to ask where information is stored and processed. For example, when the popular Office365 first launched in Australia, it was only available out of Singapore. Unless the proper questions are asked, it is still possible that a simple email solution could expose your organisation to data security breaches.
If you are a CEO or board director, you will need to be comfortable that you have asked questions and not stopped until you are satisfied with the answers. This may result in uncomfortable (and expensive) conclusions for your company, but there is an obligation to ask and then follow the answers to where they finish.
Third party supply chain risk - what is it and why should you care?
One of the biggest risks we see facing boards and CEOs in the near future is third party supply chain risk.
Third party supply chain risk occurs when you use cloud providers that rely on Managed Service Providers (MSPs) or a contracting agency such as a marketing firm that runs all of your company’s campaigns.
This agency (or third party) runs campaigns such as your organisation’s entire social media ads by collecting and processing data to create publishable information. These agencies can use cloud apps such as word processing software to write blogs or other applications that create content. These apps will often use servers that are based in the United States or elsewhere.
In this way, you could end up storing your customers’ data in the cloud in server locations that you are not aware of – unless you ask the question.
It’s up to organisations themselves to do a deep dive into suppliers’ processes and applications, and to ask where information is being stored and what controls they have in order to take appropriate protective measures.
Taking third-party risk assessment measures
Wise directors will put in place a third party risk assessment process. Superloop currently puts all our suppliers through this process. We take a light approach at first, but if the vendor can’t answer the first round of questions we have a 60-question survey that we need to ask them to ensure we are not exposed. These include areas such as:
- What are their security posture and policies – for example, whether they require staff to sign NDAs, background checks;
- What technologies in place to protect data – this assesses their maturity level in making sure their users don’t share user accounts, they have unique logins, restrictions and include role based access;
- Ongoing engagement – would we notify issues in these areas, cyber security and HR related risks;
- Do they have a mandatory data breach notification scheme – what is their process to notify on breaches, who is responsible and timeframes; and
- Internal questions about what level of data we expect to see.
Our duty of care
In Australia, Superloop is a good option for ensuring your customer data continues to be stored onshore. We take a custodial view of our customers’ data – they trust us with the carriage of that data for the time we are supporting them.