Walking the Data Security vs. Data Privacy Tightrope

Discussing data security and data privacy as if they’re the same thing can be dangerous for an MSP.

Kaseya Guest Blogger

September 21, 2021

6 Min Read
data security and data privacy
Getty Images

Protecting personal, sensitive information from falling into the wrong hands is increasingly one of the top reasons SMBs turn to MSPs for guidance and assistance. What had once seemed like a distant, existential threat is now startingly real for businesses of all sizes as well as the individuals who entrust their private information to them.

MSP customers–and their customers’ customers–have seen enough headlines about security breaches to realize the problem is widespread. Nearly everyone has received worried emails advocating immediate password changes and free credit monitoring services, breaking the illusion that this only happens to other people and that, instead, it’s more likely just a matter of time until a breach hits them even closer to home.

But data security and data privacy aren’t the same thing–however often these terms get used interchangeably. Temporarily removing “data” from the phrase, it’s clear that these labels have quite different meanings.

“Privacy” is about keeping others from seeing your stuff. We close our window shades and put in our earbuds when we don’t want the rest of the world to know what we’re up to, creating a few barriers for the Peeping Tom and the overeager eavesdropper. But privacy doesn’t necessarily promise true protection from more inspired snoopers actively seeking this data.

“Security,” on the other hand, is about true defensive protection. It is not just designed to dissuade the casual interloper, but rather to actively defend against bad actors intentionally accessing things they shouldn’t get their hands on. It’s the keypad to enter the elevator and the armored truck ferrying cash to the bank.

A Distinction with a Difference

Discussing data security and data privacy as if they’re the same thing can be dangerous for an MSP. Customers can latch onto a belief that they’re receiving one level of protection when they’re actually paying for another, and this issue will likely come up only after an incident puts the topic in the spotlight.

MSPs can prevent such false assumptions from taking root by educating customers both on what these two terms mean and, more specifically, exactly which related services are being offered and currently paid for. While lengthy text descriptions are one approach to creating clarity while also covering the MSP’s legal liability, sometimes more visual aids can help.

Consider using a multi-column checklist to indicate which services (security versus privacy) are offered with each tier of service and for every type of data. While this level of specificity may feel like overkill, a graphical representation of precisely what’s covered and what’s not removes any ambiguity from the equation, giving both the MSP and their customers peace of mind that they share a common understanding of the situation.

Scope and Intent

Detailing what’s included in various bundles and tiers of service is critical for MSPs in every domain, but it’s particularly acute when it comes to data security and privacy. It’s a hot-button issue where an incident could have far more significant ramifications than a simple outage or system failure. Once data is exposed or stolen, there’s no putting the genie back in the bottle.

Data security offerings typically include preventative measures such as multi-factor authentication (MFA), firewalls, suspicious network traffic monitoring and encryption. Also, while not explicitly for security, automated patch deployments and version updates are another key protective layer that falls at least partially under the security umbrella.

Even physical securing of hardware, risk assessments and employee training are MSP offerings that improve client data security. The common thread in all these practices and tactics is preventing unapproved access to private data, as each layer of protection makes it that much harder for a bad actor to gain access.  Click on Page 2 to continue reading…

Data privacy, however, is somewhat ironically as much about transparency as it is about keeping things hidden. Data privacy strategies should begin with sharing with users exactly what data is being captured, how it’s being used, who might have access to it, and how that’s being controlled, along with getting users to opt into those terms. This open agreement sets the stage for how SMBs and their MSP partners will keep sensitive information under wraps and informing users about those processes and policies.

Regulatory compliance also comes into play when it comes to data privacy, as HIPAA, GDPR, and other common standards require strict adherence to certain protocols. These run the gamut from de-identifying personal data to restricting employee access to storing different types of data in separate locations to simply agreeing that data won’t be resold to third parties.

Smashing the Security Silo

For too long, security has been viewed as something separate from core IT services, a protective wrapper that guards the gates but isn’t considered an integral pillar of the technology stack. But this approach leaves firms more vulnerable than necessary because they’re not taking a holistic view of how security and privacy concerns permeate every aspect of an organization’s technical infrastructure.

The reality is that every email, click, open port, outdated operating system, digital transaction and natural disaster represents a potential security breach or privacy-compromising event. While good fences and surveillance techniques may catch the lion’s share of threats and attacks, no element of the operation is exempt from having to consider what weak points get exposed through each action.

Leaders don’t settle for set-it-and-forget-it precautions. They make data security and privacy concerns core to everything they do, from how they train and measure employees to the viability of various systems, devices and solutions. Maintaining a healthy awareness and continual consideration keeps everyone sharp and on the lookout for incomplete defenses and proactive steps to be pursued.

MSPs have an integral role to play ushering in this mindset shift. They bring the expertise, best practices, tools and vision, ready to help those SMBs hungry for action along with the others hesitant to fully commit who need a little more prodding to make their case.

Essential for the ecosystem’s survival

Data security and privacy breaches are no trivial matter for the SMB clients that make up the lifeblood of the MSP ecosystem. In the wake of a major data breach, more than half of those businesses end up closing shop within six months, unable to recover from the financial ramifications of fines and lost business as well as the tarnished reputations that follow.

To survive and thrive in today’s hostile environment, SMBs need their customers to trust them with their data on both the security and the privacy fronts. Anything else reduces their confidence, usage, and revenue.

There’s no magic bullet when it comes to this matter, but the vast majority of security breaches and data leaks are preventable with a layered approach to data security and privacy. Combining multiple systems, best practices, training and standardized procedures, MSPs can work with their SMB partners to stave off bad actors, remain in regulatory compliance and let everyone involved sleep a little bit easier.

Dan Tomaszewski is SVP of Channel & Community, Kaseya.

This guest blog is part of a Channel Futures sponsorship.

Read more about:

MSPs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like