What happens to your data when your service provider uses a third-party to manage their service? For example, consider what information your accountant shares with their online accounting service when they lodge your tax return on your behalf.
Much is being made about data breaches and identity theft. Examples like Optus, Medibank, AHM and Woolworths have graced the headlines in the past month. No doubt more will emerge and likely there will be ongoing breathless reporting by the tabloid media of scams and mayhem, perceived or actual that befell some or other hapless victim.
What’s less obvious is that data theft can happen outside your field of view, without your intervention, without any chance for you to mitigate before it happens. It’s an invisible problem that is only going to get worse until it’s recognised as a substantial issue that our society needs to properly consider.
In my line-up of data breaches, two recent names were missing, Telstra and National Australia Bank. Their systems weren’t compromised, but a third-party rewards service, Pegasus, which provides rewards programs for businesses was hit. This kind of data breach is much harder to detect and mitigate, since you as the end user have no input into the choices made by the organisation using that third-party service.
It’s not only at such a corporate behemoth level that such issues arise. At the small business end of the scale, third-party services like Google, Dropbox, MYOB, Xero, SAASU and DocuSign offer all manner of convenience to small business who in turn offer a service to their clients, you.
In the case of Telstra and the NAB, you’d think there would be a process of due diligence, but can you really expect a small business owner to achieve the same level of scrutiny when they engage an external provider to help them run their business?
It gets worse. Most third-party services use other companies, a fourth-party if you will, to provision their data centre, big names like Amazon Web Services or AWS, Microsoft Azure, Google Cloud Platform or GCP. Then there are those who run their own data centre, or sub-contract some other local hosting provider like ZettaNet or DreamHost.
Different organisations manage and publish information about their data centre in different ways. For example, Google has data centres all across the world, but its map shows Australia doesn’t have any, Dropbox uses three data centres in the United States, MYOB claims to use Azure and AWS services in Australia, though it has also used Azure in Singapore, Xero states that it uses AWS in the United States. SAASU says it uses AWS in Australia and DocuSign says it uses “two data centres in Australia”.
All this adds up to more uncertainty, less scrutiny and even more complex interactions between your data and its ongoing security. Until such time that legislation actually tackles this issue, most of your “private” data is regularly at the mercy of companies that you might not even know existed, let alone had your data.
As a small business owner, how do you achieve your own due diligence in addressing this type of data security and as a user, what steps have you taken to consider the impact of third- and fourth-party providers?
Onno Benschop