Even if your business isn't currently operating in a regulated environment, you might be affected because of the type of data you are collecting and how you are securing it. Superloop security expert, Andrew Lawrence takes a deeper look at security measures and actions that Australian CEOs need to be aware of.
How you collect data matters
As data sovereignty policies and legislation changes, it will become more important for CEOs to consider how each department collects, processes and stores information.
For example, service desk departments may not technically store or collect personal information, however employees are often collecting incidental information to solve cases, such as taking screenshots, logging files, and adding information to help request tickets for post-investigation work.
This kind of incidental data collection may include information captured from background screens, such as banking details, or desktop applications with corporate information. In this way, departments of organisations that do not typically fall under governance and data compliance legislation will need to identify whether they are potentially collecting sensitive and personal information.
Asking the right questions
Under the current era of digital information and tightened data security requirements in Australia, it can be difficult for CEOs to identify where to start. While it is impossible to define what you don’t already know, asking the right questions is imperative.
In the past, data sovereignty and data protection fell under the remit of IT, as procurement for cloud computing was squarely under the CIO’s governance. However, we think these questions need to start from the top.
It’s vital that boards and directors, who are ultimately responsible for reputational risk, understand whether the organisation is at risk from information and data security exposure. At the end of the day, if something goes wrong, it will be them in the line of fire of customers and those enforcing the rules.
This starts with asking “where do we collect, store, and process data?”
The answer often lies with identifying cloud hosting providers and digging into their data practices. Even if the organisation is simply using web-based apps, executives and directors need to ask where information is stored and processed.
For example, when Microsoft Office365 first launched in Australia, it was only available out of Singapore. Unless executives ask the proper questions, it is still possible that a simple email solution could expose your organisation to data security breaches.
CEOs or board directors will need to be comfortable that you have asked questions and not stopped until you are satisfied with the answers. This may result in uncomfortable (and expensive) conclusions for your company, but there is an obligation to ask and then follow the answers to where they conclude.
Third-party supply chain risk
One of the biggest risks we see facing Australian boards and CEOs is third-party supply chain risk.
Third-party supply chain risk occurs when you use cloud providers that rely on Managed Service Providers (MSPs) or a contracting agency such as a marketing firm that runs all of your company’s campaigns.
The agency (or third party) may run campaigns, such as your organisation’s social media ads, by collecting and processing data to create publishable information. These agencies generally use cloud-based apps like word processing software to write blogs or use other applications to create content. These apps will often use servers that are based in the United States or perhaps other locations around the world.
In this way, you could end up storing your customers’ data in the cloud in server locations that you are not aware of – unless you ask the question.
It’s up to organisations, and ultimately, the CEO, to do a deep dive into suppliers’ processes and applications, to ask where information is being stored, and find out what controls they have in order to take appropriate protective measures.
Taking third-party risk assessment measures
Wise directors will put in place a third-party risk assessment process.
Superloop currently puts all our suppliers through this process. We take a light approach at first, but if the vendor can’t answer the first round of questions, we have a 60-question survey that we ask them to ensure we are not exposed.
These questions include areas such as:
- What are their security posture and policies? For example, whether they require staff to sign NDAs, background checks, etc
- What technologies are in place to protect data? This assesses their maturity level in making sure their users don’t share user accounts, they have unique logins, restrictions, and include role-based access
- Ongoing engagement – would we notify issues in these areas, cyber security and HR-related risks
- Do they have a mandatory data breach notification scheme? What is their process to notify on breaches, who is responsible, and in what time frame could we expect to be notified?
- Internal questions about what level of data we expect to see.
Our duty of care
In Australia, Superloop ensures that customer data continues to be stored onshore. We take a custodial view of our customers’ data – they trust us with the carriage of that data for the time we are supporting them.
What to read next: