Privacy, security and why your IT provider can’t do everything!

14th Apr 2014

Many clients have been asking me about the recent changes to the Australian Privacy Act that came into effect in March. See It is important that all clients review their Privacy Policy (or write one if they haven’t got around to it yet!). You need to think about data location, passing client information to another party and please, please, avoid spamming.

My conversations have highlighted ignorance around who is responsible for security and privacy. Think about it. Technology can enforce strong password policies. But if a user keeps their password on a note under their keyboard then security can be compromised. So here is a quick primer on who should do what.

The responsibilities of the client include the following:

  • Developing and enforcing user policies such as the password policy, privacy policy, internet use policy and BYOD policy
  • Determining the appropriate levels of security and access for users
  • Data security on local devices e.g. smartphones, laptops, USB drives
  • Securing physical paperwork and network information
  • Maintaining application security including user logon

The responsibilities of your IT provider include the following:

  • Network security including enforcing strong passwords and creating required security groups
  • Firewall configuration
  • Managing and updating antivirus software
  • Installing appropriate power protection to critical equipment
  • Data backup including taking data offsite
  • Providing appropriate hardware redundancy
  • Patching operating systems and applications
  • Configuring secure remote access using technologies such as SSL

This isn’t an exhaustive list. But I hope you can see that both parties need to work together to make sure that you and your clients’ data is private and secure. If you have any confusion or concerns let me know.