Today, the potential penalties and risk profile of allowing data to leak, or be lost, may not be severe enough in Australia, according to Jerry Vochteloo, cloud data protection lead across Asia Pacific and Japan at Dell EMC.
Yet as explained by Vochteloo, if overseas trends are a guide, it won’t be long before Australia joins other regions in instituting strict penalties around data misuse.
“In Australia the regulations and requisite fines are often pretty light,” he said. “There have been very few prosecutions and businesses ended for being in breach.
“But look at what General Data Protection Regulation [GDPR] did. Why did people suddenly sit up and take notice? Because the maximum fine is four per cent of a company’s worldwide revenue. All of a sudden there was a fine that could hurt an organisation.
“There is a trend to start increasing the fines. For instance, Singapore now also has million-dollar fines, and that helps.”
The problem IT departments face isn’t just centred around the scramble to be compliant, however. It is the sudden interest in compliance from corners of the organisation that hadn’t previously looked at it.
“Compliance issues hit at a high level and then cascades down to IT, which responds ‘well, that’s great, I’ll add it to my other impossible job list’,” added Kakanis of Sundata. “It can then feel like they’ve got a victim within the organisation.”
Computer Merchant’s Jeffries said he had seen this trend in action. “We had one organisation which about $2.5 million to $3 million to do a project to remove Windows XP from all their devices and move to something that was supported,” he explained.
“The organisation had been putting it off, but then the regulators got involved, saying the director was now accountable for the data, so when the organisation identified it had exposure through windows the mandate came down pretty quickly from the top.
“Directors are in fear and when it’s board-driven, it’s often to avoid the risk of fines or jail time. Nobody wants to be in the news for something like that.”
Culture of data
Andrew Bird - regional manager of Queensland at BlueAPACHE - observed that in many cases, the responsibility of data within an organisation lies with the IT department, despite a clear lack of understanding of the implications of such a move.
“Take insurance, for example,” Bird said. “Boards or managing directors will pass a spreadsheet to IT, whether it be internal IT or outsourced IT, and then expect IT to be able to complete it.
“Two-thirds of the content in those spreadsheets is about business policies, which means it is not just about the province of IT. The immediate reaction is ‘this is cyber so therefore it’s about IT’, but it’s not – it’s about so much more. It’s about the users.”
Many organisations are also looking to offload responsibility of data and security to partners. Jeffries said that scrutiny is increasingly being placed over the channel as a result.
“It’s important that, as a channel partner, you’re able to point to your own organisation as proof of what you can do,” he said. “Are you up to date with patches? Have you removed administration rights from ex-staff? Security is a big job to do but it is simple. It’s about making sure we follow those fundamental things.”
Delving deeper, Kakasis of Sundata stressed that despite more frequent discussions about back-up, internal culture is struggling to keep pace with data changes.
“But patching has done a complete 180-degree turn,” Kakasis said. “Three or four years ago people patched if it was absolutely necessary. Now service-level agreements [SLAs] include the frequency of patching.
“It has become part of the environment that people patch on a regular basis and across systems and they are getting better at it.”
Much of what is driving these trends is a changing IT skillset and focus within organisations, according to Vochteloo of Dell EMC. Internal IT teams are increasingly focused on managing cloud and DevOps environments, meaning partners are being relied on more heavily for “old school” IT support.
“The people who understand the value of back-ups are disappearing,” Vochteloo said. “I’m increasingly finding I’m going back to the most basic conversations with IT teams around what back-up is and why they should do it.
“For example, there was one large chemical company that we recently engaged with where the cloud team is also the IT team. We almost needed to run a back-up 101 course, explaining what a full back-up was and why organisations should have certain retentions.”
According to Satish Naidu - CEO of 1ICT - a key trend affecting the entire data industry is the changing view on data. Partners need to not only continue to provide existing data protection services but evolve alongside customer expectations.
“What we see is a big move to application development, so most of the data we now protect is in the cloud on AWS and Azure, and so on,” he said. “Traditionally, we needed an on-premise approach to data protection, but customers now use databases as-a-service and an integral part of the software development platform.”
The ongoing confusion and organisational challenges around data back-up and regulation is good news for the channel.
These businesses need an advanced strategic partner to assist in navigating increasingly high-stakes waters, and with the shift towards the cloud in many internal IT teams, the need for structured technical support is also all the greater.
(This article first appeared in ARN Magazine; this ARN Roundtable was held in association with Dell EMC and Tech Data.)