There's no place like home: local data hosting benefits
Data is inextricably linked to trust — people will not give information to somebody they do not trust. But public trust in business has entered a downward spiral.
Despite this, the value of data to business has never been more important. It can help deliver streamlined services, unlock unprecedented customer insights and deliver competitive advantages. If poorly managed, it can also cause businesses to crash and burn.
Data security is therefore essential — but what does it take to keep data safe?
At one end of the spectrum, there’s a common belief that strong passwords and antivirus software are enough protection. At the other end, tech supremo Elon Musk says Facebook “gives me the willies”, while former FBI boss James Comey covers his webcam and advises the rest of us to do likewise.
There is no place for complacency in data security. However, fearfulness can hold businesses back from maximising the opportunities that technology and the online economy can provide.
Diligent has developed practical guidance on how to protect sensitive boardroom information to underpin trust across organisations and look at when a local data-hosting solution may be of benefit.
Data security in the boardroom
Directors and management need secure channels in which to ask questions, express opinions and share information beyond the boardroom. Some documents might contain messages that haven’t yet been refined, plans that will change later or facts that are still unverified.
It is essential that people are comfortable to speak openly — robust discussion is a central part of every board. Yet, at many organisations, these exchanges regularly take place over email, by text message or via instant messaging apps. Those platforms lack the security to properly protect sensitive information, which can include multiple copies of messages ending up stored in public clouds.
Board reporting can often be at risk of falling outside standard organisational controls because of non-executive directors using external systems, software and hardware. That may include public email servers, unfamiliar USB drives, BYO devices and public wireless networks.
While the risks associated with public email providers are well documented, there has also been an increase in business emails being compromised, says the Australian Cyber Security Centre’s 2017 Threat Report.
Why data security is good corporate governance
Protect company assets
Board reports provide sensitive information about a wide range of commercial, financial and operational issues. That can include strategic plans, performance updates, forecasts, risk analysis and details of significant transactions.
Reduce external threats
Even the data you don’t believe is valuable externally can be attractive to cybercriminals — simply because it’s valuable to you. Ransomware (encrypting your data and then charging a fee for its release) is a growing threat.
While the board’s role is to challenge management and hold them accountable, a culture of trust and openness between directors and senior executives is imperative. Similarly, directors need to have the utmost confidence that boardroom business is confidential.
Continuous disclosure obligations
A loss of confidentiality over a significant matter could mean a business has to make further disclosures to the ASX or ASIC.
There’s more at stake than data
Far from being a specialist IT issue, data security is now one of a range of issues that is part of an organisation’s corporate culture and has a genuine effect on its reputation and public trust levels.
Some organisations face regulatory restrictions in their ability to use data centres and service providers beyond Australia. However, for others, the decision to host data locally is an individual choice. It’s not a surprising one, given that more than nine out of 10 people don’t want their data sent overseas, according to the Australian Community Attitudes to Privacy Survey 2017.
The implications of a data security breach are serious, and can include:
- operational and business continuity issues
- loss of business
- regulatory action and sanctions
- potential legal action
- reputational damage
- financial loss.
Why host data in Australia?
For most organisations, having strong data security to prevent loss, misuse or theft is a lot more significant than where that data is physically located.
Regulations vary around the world, but reputable organisations in Australia or overseas should have the same quality infrastructure, security and processes to protect their clients.
Businesses should do their research before making a decision, and know the right questions to ask. Providers that can’t clearly and proactively explain their security measures should immediately raise a red flag.
- Financial services: Entities regulated by APRA, including banks, insurers and superannuation funds, are subject to stringent requirements when outsourcing material business activities, particularly if they are outsourcing them to offshore providers. The prudential regulator can put a stop to arrangements if it is not satisfied with the risk management practices.
- Government: Public sector entities are strongly encouraged to adopt cloud-based solutions under the Australian Government’s Secure Cloud Strategy. While the Strategy specifically notes that offshore data is not prohibited, many government agencies and departments at the state, territory and federal level follow a mandate of only using locally hosted data service providers.
- Medical and healthcare: Under the Privacy Act, information about people’s health is subject to greater protection than other types of personal information. Providers need to take additional steps to satisfy themselves that sensitive information is properly protected.
High standards apply offshore
Australia has a strong privacy and data security regime, but some jurisdictions have even more pervasive requirements.
When the European Union’s General Data Protection Regulation (GDPR) takes effect in May 2018, it will impose some of the toughest privacy standards in the world. It will not only affect EU organisations, but any organisation with data on EU citizens. There is also no small business exemption, unlike in Australia.
Penalties under the GDPR can be severe — up to a maximum of EUR20 million or 4% of global revenue, whichever is higher.
Importantly, the new regime will also introduce changes to liability when third-party suppliers are used. No longer will the original owner of the data be solely liable for any breach that occurs. Liability will now be shared between the owner and the third-party provider. These changes are creating a ripple effect across the globe.
High-quality infrastructure can deliver outstanding performance no matter where it is located. However, onshore data storage can offer performance benefits for highly data-intensive organisations. That’s because the further data needs to move, the longer it can take to arrive. While the difference may be a matter of milliseconds, with large packages of data, this can add up to lower latency levels. Keeping data closer to home can boost access speeds.