If you have been reading up on the EU General Data Protection Regulation (GDPR)—whether from SolarWinds MSP or other sources, such as the ICO in the UK—you likely realize most MSPs and IT service providers need to bolster their security solutions. Some service providers have already started upgrading their security stack (good), offering security and GDPR-awareness training for their customers (better), and rolling out new architecture and implementing security best practices (best). But there’s always more that can be done.
This popular phrase is used to question the truth of unusual claims. When it comes to compliance, we should rephrase it as, “security reports or it didn’t happen.” When it comes to helping support a client’s GDPR readiness, the reports—especially reports describing the mitigation of a security issue—are vital.
One of the best things you can do is to run a vulnerability scan before and after you start providing security services. The reports will help provide assurance that your security services work, and that you’ve taken mitigation steps in the event of a security issue. Your clients expect your services to be effective and visible—this can be difficult without pre-service and post-service reporting in place.
When delivering a vulnerability management program, it is recommended that you document the positive impact of your security services on your client’s security posture. Running a vulnerability report before patching takes place and after can help provide tangible evidence of delivering effective security. Vulnerability management programs can be extremely effective against data breaches, making them a must-have in a post-GDPR world. When a customer can view your impact over time and see a substantial reduction in business risk, you’ll be well positioned to continue earning their business.
Additionally, if the vulnerability scanner also reports on unprotected personal data or personal data that has suddenly appeared where it shouldn’t, you can quickly react to secure the data. This can demonstrate your vigilance in monitoring your customer’s security posture.
Too often, MSPs don’t get the credit they deserve for their security services if they’re successful. The lack of security incidents can obscure the hard work, suite of technologies, and diligence of the service provider. In fact, automated security layers can respond so quickly that the customer may not even know how precariously close they came to a ransomware payload executing or remote access Trojan being installed on an endpoint.
By introducing a pre-scan phase of the vulnerability management workflow and adding a post-scan phase after customer endpoints are patched, you provide visible reporting and tangible evidence of your efforts.
Under GDPR, this reporting can be crucial. If a data breach occurs and the Supervisory Authority calls your security efforts into question, the reports can help demonstrate your due diligence.
Don’t stop at just a pre-scan and a post-scan. As you continue running periodic scans for your customers, you’ll start to notice trends across the different configurations, applications, and roles in a customer’s business. Within a few short weeks of scanning for personal data, you’ll soon see that certain users may have considerably higher risk profiles than perhaps general-purpose computers on the shop floor.
Payroll, accounting, sales, executives, and managers may access or accumulate sensitive data as part of their business-as-usual roles and functions. Given this situation, you may want to set up special configurations, segmentations, and additional security service layers for the individuals and workstations with the highest risk. Depending on some verticals (medical, financial, legal), the risk of cyberthreats could be significantly elevated. By knowing where the personal data is located and who’s responsible, you can address the specific risks, as opposed to taking a generic one-layer-fits-all security services approach.
SolarWinds® Risk Intelligence should be an essential tool in your arsenal for GDPR readiness. It is designed to locate all the data on your customers’ networks, even in hard-to-find persistent storage, and estimate the potential cost in the event of a breach. Putting your potential data risk into a financial number helps you quantify how much your vulnerability management program helped your customers’ security, which can be helpful if there’s a breach and you have to demonstrate due diligence.
Additionally, Risk Intelligence can show you where you may need to customize your approach for each business. By customizing your approach, you truly demonstrate an awareness of how the cyberthreat landscape could affect your customer, and you may even save the customer from falling victim to a targeted attack and data breach—and that can save them substantial grief under the new rules from GDPR.
For even more on GDPR, click here to visit our GDPR resource center
This document is provided for informational purposes only and should not be relied upon as legal advice or to determine how the EU General Data Protection Regulation (GDPR) may apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies to your organization, and how best to ensure compliance. SolarWinds MSP makes no warranty, express or implied, or assumes any legal liability or responsibility for the information contained herein, including the accuracy, completeness, or usefulness of any information.
The SolarWinds and SolarWinds MSP trademarks, service marks, and logos are the exclusive property of SolarWinds MSP UK Ltd. or its affiliates. All other trademarks are the property of their respective owners.
© 2018 SolarWinds MSP UK Ltd. All rights reserved.