[BreachExchange] Three steps MSPs must take to become GDPR compliance experts

Audrey McNeil audrey at riskbasedsecurity.com
Mon Feb 26 19:48:37 EST 2018


With General Data Protection Regulation (GDPR) just around the corner,
Managed Service Providers (MSPs) are worried that they’ve missed the moment
to position themselves as providers of services around GDPR compliance
should know that this isn’t the case – in fact, the time is right.

GDPR enforcement begins 25 May 2018, but a large number of companies
affected by the new regulation are either still in the dark about it or not
as aware as they need to be to successfully comply without assistance.

In the UK, 95% of companies are SMEs - organisations who largely lack the
robust internal IT capabilities necessary to implement the protections that
GDPR requires. They will instead need to rely on MSPs that have cultivated
the correct technologies and expertise to do so, although MSPs need to
effectively position themselves to take advantage of this.

1) Acquire the subject knowledge

Compliance with GDPR – and remaining on the good side of regulators – is
all about reducing risk wherever possible and demonstrating that effective
measures are in place. At its heart, GDPR is an effort to change the
culture within companies, such that data privacy and security are treated
as much more critical concerns in the everyday practices of conducting

As most MSPs are already well-aware, it’s not uncommon that an MSP
understands and worries about customers’ systems more than the customers do
themselves. This discrepancy is a feature for clients, who desire
peace-of-mind-as-a-service, especially in the face of regulations like GDPR
that carry devastating fines for non-compliance.

MSP-client relationships are built on trust, the basis of which can be
destroyed if a data breach is discovered. Serving clients as the consummate
expert on GDPR can both differentiate an MSP’s offerings and help give
shape to the relationship-defining trust that the MSP delivers.

Gaining this expertise means developing an understanding of Cyber
Essentials, the UK’s cyber security standard for which organisations can be
assessed and certified, and the role and activities of the Information
Commissioner’s Office (ICO), the UK’s independent authority tasked with
upholding information rights and individual data privacy.

In this way, an MSP can obtain and execute upon the knowhow to handle data
properly and mitigate risk under the law, so that clients don’t have to.
This opportunity is accentuated by the fact that the ICO takes a pragmatic
approach to GDPR, setting guidelines that welcome the use of the generic
and infrastructural data protection solutions that MSPs are best suited to

Delivering effective data privacy protections that GDPR calls for not only
bolsters the reputation of the MSP, it also fulfils its responsibility to
protect the reputation of the technology industry as a whole. For MSPs,
taking the initiative to help transform the data handling practices and
culture of the SMEs they serve is both an obligation and an opportunity.

2) Assemble the correct technology portfolio

Safeguarding private data within the guidelines of GDPR requires a layered
security approach. GDPR grants a number of individual privacy rights, such
as the right of access, right to the restriction of processing, and right
to data portability, which call for a tremendous facility of control over
data. GDPR also demands a level of data security appropriate to the risk,
taking into account the costs of implementing measures and the nature,
scope, context and purposes for processing data.

Encryption of personal data is an essential capability for MSPs in
complying with GDPR, especially considering that in most cases SME clients
will store data on laptops and other mobile devices. Proof of encryption
and the ability to remotely eliminate and/or quarantine data go a long way
in demonstrating to the ICO that effective measures are in place. Remember
that if data on a compromised device is inaccessible and/or encrypted, the
data itself is not compromised and it shouldn’t be considered breach.

For this reason, we use Beachhead’s SimplySecure as a way of controlling
data encryption and remote data wiping (and quarantine) over all devices in
use within an SME. Providing additional layers in our portfolio of
technology solutions, we use Darktrace for cyber threat analysis, and
SonicWALL to help secure SME networks, among other tools.

3) Provide consultancy to educate clients

Teaching SMEs about the best practices they can follow in achieving strong
cybersecurity hygiene is highly beneficial to both complying with GDPR and
reaching the desired result of protecting data. An effort to change the
cultural expectations and norms around data protection is a major component
of GDPR, and this requires an education that MSPs can provide.

The desired cultural shift is analogous to the one that previously occurred
around data backups. Years ago, it was common for enterprises to ignore the
importance of backing up data. However, that mindset has been wholly
rendered a relic of the past, and there is such cultural support that
backups have become standard practice.

A similar shift will occur with encryption and other data protection, such
that truly effective data security practices will be a part of the culture
and the default way that enterprises conduct business. This shift begins in
earnest with GDPR’s requirements, and the leadership of entities like MSPs
that can communicate and educate on the importance and benefits of
embracing strategies and tactics that get the job done.

Some SMEs may look at their options and believe that compliance measures
are beyond what they can afford. MSPs should be prepared to advise these
potential clients to approach Cyber Essentials and GDPR by doing what can
be done, and that simple small steps, cultural changes, and wise decisions
can and will save them a lot in the long term.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180226/a81e4bb9/attachment.html>

More information about the BreachExchange mailing list