A word of warning to the Channel – GDPR is real and you need to be aware
It is absolutely no secret that the importance of IT security over the past decade has, for want of a better word, ballooned. The growth of the cybersecurity realm has been uncontrollable due to the dramatic worldwide increase in data breaches, hacking intelligence and the general use of new technologies that organisations haven’t been able to keep up with or adapt to. As a result, this has left the vast majority of businesses on the back foot, constantly evading invisible attacks from hoody-wearing hackers across the globe. As ever with the public sector, there is a delay in the reflection of the new technologies in governmental law… particularly in a space as dynamic as cybersecurity. Nevertheless, the updated GDPR law that will come into play in a little over 12 months, seeks to start a movement to change how businesses within the EU approach data security in the modern era.
What is GDPR?
Although widely documented, it would be worth briefly summarising what GDPR is before I talk about how it will have an impact on MSPs and VARs in The Channel. GDPR stands for General Data Protection Regulation and is a law that has been implemented by the EU in order to improve rules surrounding data security. The GDPR intends on creating accountability for companies that don’t maintain their internal security regulations with regards to looking after customer data. Within the law, it clearly states that
“the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
This update is effective as of May next year and although this is a law implemented for EU nations, it will impact the UK regardless of the UK leaving the European Union. This is due to the fact that the law affects any business that handles data on EU citizens or makes it services available to the EU market, even if the supplier company is based outside the EU. Indeed, we will remain within the EU for at least the next two years anyway, so it is crucial that the changes are understood and dealt with accordingly. Given that even the basics of this update are likely to affect a number of Brigantia partners, the best way to prepare is to begin by developing a robust data protection strategy and to implement this as quick as possible.
Further updates to the law include fines of €10m or up to 4% of annual turnover for companies that do not have data policies in place and do not provide their employees with education on the importance of data security or using the correct technology software. If a data breach does occur, companies must now also notify all of those who have been affected within 72 hours and disclose the exact details of the event. Although there can be leniencies in circumstances where the affected company has done everything it can to limit the impact of the data breach and safeguard any lost data, it is unlikely that this will occur given that it must be proved that any lost data was unreadable due to it being encrypted. Ultimately, the moral of the story is that unless you want to face a large fine, make sure that your data and networks are protected, backed up and that you have a plan in place to handle data loss if it does occur!
What do I need to do as an MSP/VAR?
The challenge for MSPs and VARs is to integrate the GDPR regulations within your company business model and general way of working. Once that has been grasped and awareness has been built up internally, the new regulations can actually offer excellent opportunities to develop the relationships and accounts you have with your customers. Because of the consistent hype in the media around Brexit and the EU, no doubt the requirements of this law will start to become common knowledge and your customers will start asking questions. Many Brigantia partners are aware that their customers don’t always have the greatest compliance in place and although they might well have taken the necessary steps to remain compliant with the existing Data Protection Act, are often difficult to convince about the importance of new changes to IT security (including the stricter requirements of GDPR). However, the updates to the EU Law will change this mentality – providing an opportunity for Brigantia partners to vet their customers’ security compliance and advise where they need to be improved, what needs to be improved and how they can be improved.
CompTIA stated that “Clients will be relying on their providers to help them meet regulations, which is a great opportunity to build on your relationships, all while creating new business with current and potential end users.”
Much of my discussion has been about how partners need to be reactive to GDPR and improve current ways of working in order to avoid being penalized by the new fines. But actually there should be an equal, if not more, level of proactivity – to take advantage of the opportunities this presents to improve non-existent relationships with potential new clients. Due to the changes, there will be a growing number of businesses looking to seek advice from IT channel specialists about solutions that can prevent threats from becoming disastrous. Unsupported businesses will require the ability to call up detailed data that proves they are aware of lost devices and whether any lost data has been accessed or not. Without this ability, the fierce fines of GDPR will be faced and could potentially cause fatal financial loss. All business within the UK will be affected and any delay in thinking could risk immediate non-compliance. Brigantia partners then, need to have already adapted to these changes in order to provide new technology and services to ensure that unsupported businesses can avoid these risks. I would recommend all Brigantia partners action the below three points:
- Read up about all specific changes within data compliance law and GDPR and ensure you have the ability to consult customers on these changes
- Load up on available solutions to help customers with compliance
- Educate your customers on the impact of GDPR
Why does Heimdal and Bitdefender help protect and make business customers compliant?
Brigantia’s portfolio of security services enables partners to build a complete security solution that can help existing and new customers with their compliance. Our dynamic endpoint security management portals provide succinct and accurate information about the safety and status of customer endpoints to ensure any threats are removed before they become harmful. Bitdefender GravityZone for MSPs and Heimdal Security Corp are the perfect combination to ensure that the demands of GDPR are being met. The cyber risk management module within the Heimdal Corp dashboard and the Bitdefender online management portal provide clear overviews of your customer endpoint environments and deliver accurate data on any security risks, aiding the mitigation of any security breaches. This infrastructure enables you to prove that you are safeguarding employee data in an easily understandable manner, ticking off the GDPR requirements with ease. Specifically, Heimdal Security provides additional intelligence in the form of automatic and silent patching as well as proactive traffic filtering, thus preventing any gaps in the fence to enable the compromisation of customer data.
As I have said, although GDPR presents challenges to Brigantia partners, it also presents opportunities. Brigantia exists to add value and this is a perfect of example of how and where we can help. For any further reading on how you can begin to adapt to the GDPR changes, or if you would like additional information on these changes, please get in touch via email firstname.lastname@example.org.