Are you compliant with the PCI standards?

In September 2006, the Payment Card Industry (PCI) Security Standards Council released version 1.1 of a document entitled ‘PCI Data Security Standards’, generally referred to as the ‘PCI DSS’.  The PCI Security Standards Council was formed by the leading payment brands, including Visa and Mastercard, specifically to develop the Data Security Standards. This was in response to rising fraud within the industry, and the standards were designed to ensure organisations adopt consistent security measures to proactively protect customer account data. The standards will be updated in response to new payment security risks, as they are identified.

Adherence to these standards became a mandated requirement in July 2007 for all organisations handling credit and debit card transactions, or providing systems or services that do.  However, many companies are still not compliant and nonconformity could result in hefty fines and possible withdrawal of payment services.  The largest merchants, those handling over 6 million transactions a year, are expected to be compliant first, with the smaller merchants following along later, working towards a deadline of December 2008.  Companies offering systems or services that handle credit and debit card data will also need to comply or face going out of business.

The PCI requirements, like many standards, are just a framework and so by their nature are quite generic. This can make it difficult to pin down exactly how they should apply to your business, your systems and your processes. Anyone who has implemented an ISO standard, such as ISO 9001, will be all too familiar with this problem.

The good news, of course, about a framework such as this is that it’s prescriptive about what needs to be done but not always about how it should be done, so allows you some leeway to implement the approach in a manner that suits your business and the way you like to operate.

So what are these standards really about?

The key information that the standards are interested in is known as ‘cardholder data’.  The PCI define cardholder data as the ‘full magnetic stripe or the PAN (card number) plus any of the following: cardholder name, expiration date and service code (often referred to as the security code on the magnetic strip)’.  In fact, however, many of the requirements deal with general industry best practice in connection with system and data security and have nothing directly to do with card data at all. For example, ensuring that each user of your system has a unique user id and password, and that their password is not one that can be easily guessed.  If your system security policy is already top-notch, then you’ll be a long way there already.  If not, you may have a lot of work to do.

Let’s have a look into the essence of what these standards are really getting at. There are 12 main requirements which are grouped under 6 main headings.  Here are the headings with my simple explanation of the requirements underneath each:

1. “Build and Maintain a Secure Network”
Ensure you have a secure network, including firewall protection and the need for passwords to gain access.

2. “Protect Cardholder Data”
Protect cardholder data wherever it is stored, and even when being transmitted outside your secure network.

3. “Maintain a Vulnerability Management Programme”
Ensure your systems are protected against unauthorised access, including using up-to-date anti-virus software.

4. “Implement Strong Access Control Measures”
Install and maintain strict controls around system access, even access to the physical bits of hardware, ensuring only those people who actually need to see cardholder data have access to it.

5. “Regularly Monitor and Test Networks”
Monitor and track access to systems and, more specifically, cardholder data within systems.  Also, regularly test the security systems that have been put in place.

6. “Maintain an Information Security Policy”
Implement and maintain a policy for the security of information in your business

A common misconception about the standards is that they only apply to credit or debit card numbers. In fact, whilst only the card numbers themselves need to be protected using encryption (meaning converted into something incomprehensible using a ‘key’, so that only a holder of the matching key can convert it back to its original form), information such as expiry dates, issue numbers, customer names, addresses, etc., all need to be carefully protected according to these standards.

The 12 requirements under these headings are then further broken down into a total of 64 smaller requirements.  I don’t propose to list them all out here - suffice to say that the PCI council have been very thorough in covering a lot of areas that could result in a security breach, leading to card fraud.  Interestingly, as you can see from these 6 headings, only number 2 is actually concerned directly with what state cardholder information is in inside your business.  The others are all to do with stopping any unauthorised or unscrupulous activity that might compromise that information.

Is everyone affected in the same way?

The PCI have categorised merchants into 4 levels, each with their own set of compliance criteria, based on the annual number of credit/debit card transactions that your business handles, as follows:

Level 1 - over 6m transactions, or anyone whose data has previously been compromised. An annual onsite security audit and a quarterly network security scan are necessary.

Level 2 - between 1m and 6m transactions. An annual self-assessment questionnaire and a quarterly network scan are necessary.

Level 3 - 20k to 1m transactions.  An annual self-assessment questionnaire and a quarterly network scan are necessary.

Level 4 - everyone else.  An annual self-assessment questionnaire and an annual network scan are necessary (although this is under some debate and may be lessened in the future).

What will happen if I don’t comply?

In theory, each payment brand will take the action that it feels is appropriate (and achievable) to enforce these standards.  At the moment, there isn’t a set fine, and the PCI council doesn’t appear to have any plans to create one.  It’s likely that each brand will want different evidence to show you are compliant and they may opt to withdraw your payment services, in extreme cases.

All the original deadlines that were set for compliance have now all passed, so they’ll probably be looking to set a date based on factors such as your level and the importance of your business.  Your acquiring bank should be the best place to start to find out what date you need to work to and what penalties you can expect to pay if you’re not compliant on time.

How do I go about implementing these standards into my business?

So, what do you need to do to implement these standards into your business?  And how can you ensure that you are compliant with a standard, if it’s so generic?

Firstly, it’s important to review each of the standards carefully and assess how it applies to you and to your business.  You may already have some of these things covered, so it’s a good idea to find those straight away and tick them off the to-do list.  This should leave you feeling slightly happier and with a more focussed list of work to be done.

A number of the requirements are things which are going to need a business process change rather than a system change. For example, users of a system being forced to regularly change their passwords.  You’ll be able to confirm whether your systems are capable of this, or change them to make it so, but it’s not quite so simple to establish whether your people are actually using the facility.  So, identify the standards that cover a business process in this way and think about how you’ll implement them, and how you’ll confirm that they are being adhered to.

You’ll also need to think carefully about where your credit and debit card data is being captured, stored and sent. Ideally, it should remain either hidden or encrypted at all times, but of course this just isn’t practical.  In order to actually use the information, it will need to be decrypted and visible.  However, it will need to be re-encrypted again once it’s been used in order for it to remain safe, so you’ll have to find these scenarios as soon as possible and work out what you are going to do.

It’s important to remember that any form of recording or transmission is covered by these standards, so emails, forms, and letters are just as much of a security risk as computer systems.  Make sure you know about the use of these other methods in your business and are doing something to control and audit their use.

The standards call for you to protect cardholder data from prying eyes and not to expose it to the risk of being stolen, even by your support staff. This is harder than it sounds!  Usually, there are backdoors that allow support staff to view and even amend data. This won’t be allowed in the future, in all but the most extreme cases and, even then, use of this facility has to be carefully controlled and audited.

Think carefully about your support processes because these changes could have an impact on your people’s ability to handle certain transactions in your business successfully. For example, are there any regular processes in your business that involve someone either looking at or manipulating card data?  If so, you’ll need to find these and start working out an alternative approach to handling them.

What about processes that rely on the use of people’s card details? For example, do you process credit card chargebacks?  These often start with the need to search a system using the customer’s credit card number. This might not work once card numbers have all been encrypted on your system!  Check these situations out carefully.

OK, I’ve started work on this but what will all this change mean?

Let’s have a look at the type of testing need all this will create.  At the end of last year we completed a testing project for one of our customers to help them ensure that their system met the requirements for the PCI DSS.

We undertook the work in 4 streams:

1. We needed to prove that the changes to their system achieved what they were supposed to have done.  In essence, were they doing what it said on the tin?

2. Then we had to confirm that the changes had led to the requirements under the PCI DSS being either met or exceeded.

3. Also, it was important for us to confirm that everything else still worked correctly on their system, i.e. that the changes hadn’t broken any of the important processes they already used.

4. Lastly, we had to check that other changes they had had to accept as part of the upgrade were also working correctly.  Their system is essentially a package, so some dependant updates were also provided by the software provider to make the PCI changes work.  This issue may or may not affect you.

After we had completed our testing successfully, we handed everything back to our customer so they could start their own testing, to make sure everything was fit for purpose for their business and their business processes.

I can’t stress strongly enough that all the changes you are going to need to make, whether they are to your business processes or your systems, are going to need to be tested thoroughly.  Don’t just implement them and expect them to work.

Hopefully, that gives you something of a flavour as to how complex testing something like this can be, and what all this change is going to mean to you.  The bigger companies are spending millions of pounds getting this right.

So what do I do next?

The best place to start is to download the standards themselves and the Self-Assessment Questionnaire from the PCI website at www.pcisecuritystandards.org.  You also might also want to contact a PCI Approved Scanning Vendor (ASV) and get them to come in and assess how much work you’ve got to do.
Also, if you haven’t already done so, I’d talk to your acquiring bank as soon as possible and confirm with them what level merchant you are.  Oh, and don’t forget to ask them that all important question about when you need to be compliant by, and how much it will cost you if you’re not ready by then!

Ultimately, this could be a complicated and costly process.  But, it’s worth remembering that it’s an important investment in risk reduction.  And, according to statistics from Visa Europe released in January this year, 84% of customers want to shop with merchants who are security market leaders and 75% say they would not shop at a store that had suffered a security breach.

Derrick Cameron is Managing Director of Eximium Ltd, who specialise in helping businesses use their IT to solve their business headaches.  For further information or advice on the use of IT in your business, please see www.eximium.net or call 01582 635 078.

Business owners increasingly clinching deals on the move

Nearly half of UK SME bosses have won business by being able to respond to prospects while on the move, according to a survey by Research In Motion.  The research also suggests that the majority of SME decision makers are out of the office for significant periods at least twice a week.

The need to juggle business requirements and communications on the move is therefore of vital importance. Two thirds of respondents said that ‘regular communication’ and ‘reacting quickly to queries’ are the two most critical aspects in successful relationships with customers.

However, despite 65 per cent of SMEs stating that keeping in touch with business stakeholders is ‘very important’ or ‘important’, nearly a third still use letters as the preferred method of communication.

“It is commonplace for SME owners to spend large amounts of time out of the office, and multitasking is often essential to keep their business moving,” said Derrick Cameron, MD of Eximium.

“However, customers and prospects expect a certain level of service and speed of contact regardless of whether they are in the office or not. It is becoming ever more important to use reliable mobile solutions.  They are essential to the success of SMEs in the UK and across Europe, so adopting the right tools and procedures from the beginning is key to long term success.”

The proportion of SME bosses who have clinched a deal while out and about is around 62 per cent across Europe, rising to 86 per cent in Spain.

System integration is the key to managing your e-commerce business and not just your website

Websales are key to any retail business, but e-commerce is not just about the shopping basket and the parts of the website that the customer sees. In a recent article, President and CEO of NetSuite, Zach Nelson, raises many valid points.  He says you must ensure that your whole business can support the sales process through the efficient integration of your website, front-office and back-office systems. 

Zach’s article advises 2 main things to think about:
1. What information is available at various stages of the process
2. The speed at which information is available

There will always be questions that cannot be answered by your website. You need to ensure that when a customer calls, customer support and administration staff have enough information to be able to respond to the enquiry effectively. Central customer information, such as a customer account, can also show what sort of experience each customer is having, whether good or bad. It can identify your good customers that you want to retain, and warn you about your bad ones!

Your Marketing department also needs enough information about your customers and how they are using your website to be able to understand what your customers want and need, so they can direct your business where it will be most effective.

If you have this sort of information available, how quickly is it being transmitted between systems? Customers expect instant results and are disillusioned when information such as stock levels are incorrect. This can also incur un-necessary costs for your business when you cannot fulfil customer orders. Real-time data can make the difference between an average business and an efficient, streamlined business that customers want to come back to, and effective integration between your systems can help you achieve this.

System Integration is one of the areas we specialise in, as it helps business owners get the most out of their existing IT – and it doesn’t have to cost the earth. We see a lot of cases where 2 or 3 good systems are doing a decent job individually, but where greater benefits could be realised if they simply shared information efficiently between them. If you would like any advice on how to get your systems talking to each other, or would like to arrange a free visit from one of our consultants, please go to www.eximium.net/contactus.asp

To read Zach’s full article see www.inc.com/resources/technology/articles/20070501/nelson.html

Happy birthday to an unwelcome guest - 30 years since the first junk e-mail was sent

Security researchers from across the UK are giving a tongue-in-cheek salute to the 30th anniversary of the first spam message. Gary Theurk is apparently the person who gave birth to the first junk e-mail.  At the time, he was an employee at the Digital Equipment Company and sent a message on Arpanet to hundreds of fellow users on 1 May 1978.

The message advertised the latest DEC computer systems, and received a less than enthusiastic reaction from fellow users. Arpanet has since evolved into the modern day internet, and DEC was purchased by Compaq and later HP.

 So, 30 years on, why does spam still exist?  Security firm Sophos noted recently that some 10 per cent of respondents to a recent survey admitted to purchasing spammed products.

“The truth is that, much as we all say we hate spam, if an e-mail for a product or service arrives that we are interested in, we buy it.  If users didn’t buy the goods, spam would soon dry up.  The spammers wouldn’t make any money and their activities would stop,” said Derrick Cameron, MD of Eximium.

“What amuses me about most of the spam I receive,” adds Derrick, “is that I have no idea what it is meant to be selling me!  I’ve always been at a loss to understand how or why this type of spam seems to be growing.

“What started out as a single message 30 years ago has grown into a global problem that clogs inboxes the world over and makes returning from holiday that little bit more bothersome,” adds Derrick.

What lessons can be learnt by business owners from the events at Terminal 5?

Implementing a major change in your business can be a daunting time, and rightly so.  A lot more than your hopes for the future are pinned on it. The reputation of your business is also often at its mercy.
There are some key steps that you can take, particularly where any kind of technological change is concerned, to stop this kind of disaster occurring:

1. Planning is the glue that will hold everything together. Think carefully about how things are going to work and allow time to make sure everyone’s plans are going to be effective. It’s impossible to think of everything but too much change surfacing later on due to bad planning will cripple your project.

2. Good project management is the key, so find yourself an effective and creative project manager. Someone who will get their hands dirty and work with the team to sort things out when issues come up, not just collate everyone else’s actual effort and report it back to you once a week. And don’t believe them if they tell you they’ve brought every project they’ve done in on time and to budget, because general opinion is that over 95% of all business change projects have gone over on both, so they won’t be telling you the truth, and that’s a bad start to the arrangement. Better to find out what they did when things went wrong, and what strategies they employ to get back on track.

3. In these days of business reliance on computers, don’t forget that most business process changes mean you will need IT system changes, and vice versa. They go hand in hand and you need to ensure that they are dealt with as a concerted effort. If they don’t work together succesfully, your project will be doomed to failure.

4. Don’t set dates too aggressively. Most things usually takes longer than we expect them to and your project won’t be any different, so leave yourself some contingency to fix your unexpected issues - somewhere between 20 and 30 percent is normally a good place to start. Equally, costs normally overrun, because all those unexpected things will cost more, so allow plenty of contingency in your budget.

5. make sure you know the real story about how things are going. People don’t like giving bad news so no-one will want to tell you if it’s not looking good for your launch date. Often, it becomes exactly like the story of the emporer’s new clothes. You need to find a way to get to the truth, by showing them you really want to know what’s going on, won’t sack them if you hear bad news, and are prepared to do something about it. Also, try and find a key informer in the team, who you trust to give you the scoop, and keep in touch with them.

6. Use your team. Between them, they will have a lot of experience and knowledge, so put it to the best use by listening to what they have to say. If they think something might be wrong, you should pay attention and not ignore it, because they’re probably right.

7. Make sure you have a regular meeting with the key team members to review progress and any major risks and issues. Try and create an atmosphere of straight talk only, because that will help you get to the bottom of what problems might hold you back.

8. Equally, nothing can kill a project quicker than poor communication. Get an effective communications strategy in place early on, so that information can flow around the project team, and to you and your management team and back, with ease. As with everything, if everyone knows what they’re doing and why, you’ll have a greater chance of success.

9. A key part to any change project is controlled and thorough testing.  changes to your processes and your systems need to be put through their paces at all the various points along the way, and by various people at each stage. Don’t skimp on testing because it is essential to understanding whether your changes are going to work, and what unanticipated issues there are hiding away.  Your business people should be involved in their own phase of testing, called User Acceptance Testing or UAT, where they confirm that the system and business processes are fit for purpose.

To get the maximum benefit, testing must be done in a controlled way (i.e. like a scientific experiment, with controlled inputs and pre-determined outputs). A lot of people say they are testing when they are just ‘trying it out’, which simply can’t prove it will work in all the key scenarios for your business.

Also, you must make sure that, as well as testing parts of your process and system changes in isolation, they are also going to be tested altogether, in an end-to-end way. That’s often when the really important and surprising results come out.

So check the testing strategy carefully to confirm that the testing is going to be controlled and thorough.

10. Once problems have been found in testing, make sure you and your senior business people are involved in making decisions on which ones need to be fixed and which could be ‘lived with’. Research suggests that it can cost up to 20 times more to fix problems after launch than if you fix them during the development process, so you need to think carefully before putting things off.

Equally, having too many workarounds can really hamper a business, and won’t help you sell the benefits of the change to your staff, suppliers or customers.

11. When you get right up against your launch date, have a thorough review of the situation. Get everyone in a room, tell them you want straight talk only, and find out if the project is ready or not. Get to the truth and pay attention to any concerns people have.

If it doesn’t sound like everything is ready, then put it off. But not for a week - nothing can be done in a week. Put it off for at least a month, longer if necessary. If it’s not ready, don’t be tempted to rush it in and ’see what happens’. Headlines are made out of those decisions, when it all comes crashing down, and it won’t be good PR for you. People won’t forget it easily, either, because anything negative sticks in people’s minds.

12. Don’t cut corners and compromise on quality. The best things take time and money to get right. If you skimp, you’ll get what you paid for, and you’ll simply pay the price later on sorting it out.

13. Allow for extra support cover when your project launches, as there will be problems. Anyone who tells you otherwise is lying. Put procedures in place that will help you identify, analyse and fix problems as soon as possible. And don’t be shy about admitting you might have some teething problems to your customers. They’ll appreciate your honesty and give you some leaway. But, if you keep them in the dark, they’ll be spitting blood if things go bad for them.

14. Contract staff are great - we use them all the time. But don’t rely on them too heavily for your project. They’ll disappear when it’s all over, and the knowledge of what went on and why will disappear with them, so keep a healthy balance of permanent staff on the team - a 60/40 split in favour of your own people is the minimum I would recommend.

Change is always a difficult beast to manage, but if these internal procedures are in place, by the time you come to launch in public you should appear reliable, professional and in control. As BA may discover to their cost, getting it wrong in the outside world is an expensive business.

Derrick Cameron is Managing Director of Eximium Ltd, who specialise in helping businesses use their IT to solve their business headaches. He has been in the IT industry for 20 years. For further information or advice on the use of IT in your business, please see www.eximium.net or call 01582 635 078.

Businesses could be forced to fund new e-crime unit

The Home Office is currently thinking about whether business will be expected to fund a new e-crime unit that is under consideration by the Home Office. Not surprisingly, the private sector has said that the core funding for such a police unit to combat e-crime must come from the government.

The proposal stems from a suggestion that the Policing Central E-crime Unit, as proposed by the Association of Chief Police Officers (ACPO) and the Metropolitan Police Service, would be jointly funded by the Home Office, ACPO and businesses.

Derrick Cameron of Eximium comments, “It’s pretty obvious that e-crime is a problem for everyone in society and affects businesses as well as consumers. Whilst it is in the interests of companies who sell online that it is properly policed, it seems unreasonable that they should be expected to pick up the tab. The funds should come from general taxation.”

Derrick goes on to add, “As an economy, we should be encouraging business owners to do more online not asking them to pay more if they want to trade on the web.”

The unit would be aimed at stopping hackers who can often be found tapping into the profits of ever more businesses. Although for many it is ‘something fun’ to pass the time, it is taking its toll on company profits. In fact, many hackers have spent time creating a business model that is nearly as sophisticated as that of legal software providers.

“Cyber crime is no longer something that affects only big businesses — it affects small businesses just as much; in fact, there are few aspects of the economy not affected by it. Let’s hope the e-crime unit is up to the significant task ahead of it,” adds Cameron.

Businesses leave valuable data untouched

Almost every business already has valuable information about its customers at its disposal. With recent technological advances in printing making personalised direct mail campaigns affordable, there has never been a better time to apply the data mining techniques used by direct marketers to predict customer behavior.

Business to business or b-to-b marketing is one of the more challenging areas. B-to-b marketers have been slower to adopt database marketing best practices. They tend not to have the in-house expertise to leverage the historical information from their customers, which might help segment their customer base and make the most use of customer data.

Working with a combination of in-house transactional data as well as overlay business “firmographic” information, companies can target their current customers and also understand where to find new clients that resemble their best customers. Studies show that an existing customer is 7 times more likely to buy from you as a stranger.

Many companies don’t track the amount of money their customers spend, making a ‘lifetime value’ figure for the average customer impossible to price. This makes it very difficult to accurately gauge how much to spend on marketing. That process can be as simple as tracking total sales or as complex as completely analysing their transactional history and corresponding profitability. Most business owners tend to think of a customer based on the current transaction; they tend to be more transaction- than customer-focused, not looking at the bigger lifetime picture.

Derrick Cameron from Eximium comments, “What was once very difficult to track and monitor can now be simplified through the intelligent use of IT. Once the systems are in place, monitoring this type of essential information becomes quite straightforward.”

Here are Derrick’s three key tips for getting more out of your existing customer data:

1) Be clear what you want. Data mining techniques are useless if you don’t know what you want to achieve. You don’t want to data mine for its own sake. You want to make sure that the information you retrieve can be applied to winning or converting more clients or up selling to existing clients. Focus your data mining on areas where you are producing results that can be implemented into tactical initiatives. Use the information to achieve your marketing objectives. It’s all about planning and preparation.

2) How current and reliable is your customer data? Perhaps it’s time to conduct a data audit. Find out how accurate it is and assess the information based on its origins. Did the information come from the customer directly, during the point of sale, or from a third-party source? Look to your marketing objectives to determine what information is required. Track all transactional history back to the customer mapping. A common issue is the use of different versions of a company name in your database. One day the order might be placed using ‘Ideal Marketing’ as the customer name. The next time, you might use ‘The Ideal Marketing Company’ or even an acronym such as ‘IMC’. You need to make sure those purchases are being linked to that same customer to ensure the accuracy of your analysis.

3) Keep it clean. It’s worth doing a final manual check to spot potential errors, undefined fields or duplication. The follow through from the data audit is to make sure you capture all the information you can on a customer, and to make sure you can match those transactions.

Britain tops poll for social networking sites 

It seems that the UK has topped the poll for at least one area in Europe – we are the keenest users of social networking in Europe, spending more time on them than anyone else across the continent.

In fact, 4 out of 10 adults in the UK regularly visited social networking sites during 2006 - more than anywhere else in Europe - according to OFCOM figures published this month.

Last year, users spent on average 5.3 hours per month on the sites and returned to them 23 times during each month. The UK led the way in a number of other areas, with slightly more than half of all UK households having a broadband connection by the end of 2006 - edging ahead of the US.

“These finding have an impact on 2 important areas for British businesses” says Derrick Cameron. “First of all, how much time is spent on these sites during work hours, and what are companies doing to monitor the situation. Secondly, what are companies doing to make the most of the popularity of these sites – in terms of a presence” he concludes.

Learn your lesson from Revenue and Customs to avoid a security meltdown

There have been shouts of ridicule at the recent security failings of Revenue and Customs (HMRC) which enabled the sensitive details of millions of child benefit recipients to get ‘lost’ somewhere within their postal service. But there is actually an important lesson to be learnt here. It’s easy to point the finger of blame with the benefit of hindsight, but it’s an episode which business owners would do well to view as a warning and learn from. Data is a valuable resource which can be easily lost or stolen if stringent security measures aren’t in place and actively enforced. The responsibility for making sure that this happens starts right at the top of your organisation, with you, explain’s Derrick Cameron, Managing Director of Eximium.

Businesses across the UK and the world have spent a lot of time and money ensuring that data is well secured within the virtual world of their computer systems with limited access, passwords, encryption etc. Organisations such as HMRC no doubt have rigorous procedures to protect the data while it is inside their computers – but information exists to be used, which automatically puts its security at risk. So what procedures do you have in place to ensure the protection of your data once the information leaves the security of its virtual world?

Protecting data on the move

Start by identifying all the potential ways that sensitive information could find its way out of your systems and your organisation, and make sure you have strict policies and safeguards to address any areas of risk. Ideally, different organisations’ systems should be able to talk to each other, so that passing data between them using an insecure medium such as CDs or flash drives is unnecessary. But for many companies, this is still some way in the future, so if this isn’t possible, at the very least you need to ensure that security procedures for the physical world are at least as stringent as those for the virtual world inside your computers.

When data is transferred between parties, it is at its most vulnerable, so look at ways of making the transfer process as safe as it can possibly be. Electronic transmission methods, such as secure FTP (File Transfer Protocol), or a secure site to site connection using a leased line or a VPN (Virtual Private Network) over the Internet are both preferable options that ensure the data cannot be seen by unauthorised personnel.

If you have no choice but to resort to using CDs or other ‘removal media’ for the transfer of sensitive information, don’t choose to use couriers or postal services unless absolutely necessary. It’s far more secure for an employee to hand deliver the media, making sure that it has reached the correct personnel at its destination. You also need to have a policy on what happens to the media once it has been used - ideally it should be returned to the source to be destroyed. Whilst this isn’t a foolproof method, it does enable you to track your data and ensure its safe return.

Don’t let your staff be your Achilles Heel

As appears to be the case with HMRC, many security breaches are committed by the people who work for you – often unwittingly. Equally, hacking and other deliberate attempts to access secure information often begin as an approach from someone trying to get sensitive information from an employee, using a confidence trick – known as social engineering. A social engineer may well pretend to work for your company and get an unsuspecting member of staff to reveal confidential information. For example, by pretending they work for your company’s IT section and asking for your employee’s password to confirm their login details are working. From here, the skilled social engineer may then be able to access your sensitive data however they want to, whenever they like – and all that information is now at risk.
However, there is something you can do to help prevent this happening in your organisation, and it is really quite simple: communication. It is often easy to assume that everyone who works within your company has the same understanding of data security as you do – but this is rarely the case. As the manager, owner or director of an organisation, it is your responsibility to ensure that those who work for you understand the what, why and how of data security.

Making policy practice

Your starting point should be a clear and practical data security policy which everyone is aware of, has read, understood and signed – even the cleaning staff. Put policy into practice and communicate the gravity of data security by making any violation a dismissible offence. Your Staff must know which data is sensitive, why, and how to protect it. After all, if this isn’t made clear to your people, how can they be expected to ensure its security?

First and foremost, your staff need to understand why they must never give sensitive information out to anyone unless the proper procedure has been followed – unfortunately employees at HMRC have learnt this the hard way. In addition, if a third party does need access to data, make sure they only receive the information they need, and that any sensitive data is either encrypted, removed or disguised. In this case at Revenue and Customs, the National Audit Office didn’t actually need most of the sensitive information on the disks - like bank details - so this information was exposed to unnecessary risk. Further errors of judgment and common sense were revealed in the subsequent story of KPMG receiving copies of similar disks. In this instance, they requested only a fraction (1500 or so) of 25 million records that they were actually sent!

Keeping control over what people can access is vital: if someone needs to retrieve sensitive information, the safest choice is to give them a user id and password which enables them to access the system directly. You can then control exactly what information they are able to see and what they can do with it. Similarly, if analysis of data is required, it is better for someone in your organisation to create a report that carries out the analysis, and send this to the third party rather than all the detailed information in the source database. The golden rule is to limit access to data so that people see only the information that they need – never expose sensitive data unless absolutely necessary.

The faults in security at HMRC were many, and perhaps the most serious security breach was the fact that a junior member of staff was allowed access to extract a complete database of sensitive information, coupled with the fact that they were then allowed to put that unencrypted information in a packet and post it without any need for authorisation from a senior member of staff. Whether it was HMRC policy or practice at fault, or most likely a combination of both, the repercussions of this massive security breach will be felt for a long time to come. So learn from the mistakes of these embarrassed officials and make sure that you address these issues within your own organisation – or you could be next.

Derrick Cameron is Managing Director of Eximium Ltd, who specialise in helping businesses use their IT to solve their business headaches. He has been in the IT industry for 20 years. For further information or advice on the use of IT in your business, please see www.eximium.net or call 01582 635 078.

Eximium joins the Chamber of Commerce for Bedfordshire and Luton

Eximium announced today that it is to join the Chamber of Commerce for Bedfordshire and Luton.

The Chamber exists to promote the interests of local firms and encourage investment into the local economy. Derrick Cameron, Technical Director of Eximium comments “As we are based in the local community it makes sense to join an organisation that helps to promote the area. As well as enjoying the benefits of membership, we are looking forward to working with local firms in the area and being able to put something back into the business community”

Eximium specialise in helping companies resolve their IT problems and also helping firms make the most of their business through the best use of their IT. “We are offering our £500 fact find service free to all Chamber members and we are confident that they will gain a lot from it” adds Cameron.

Eximium registers with BSI for ISO 9001 & 20000 accreditation

Eximium has always put quality first and this month has registered with BSI for accreditation to the ISO quality standards of ISO 9001 (Quality Management) and IS0 20000 (IT Service Management).

This means that over the next 12 months, the company will be working closely with BSI to ensure that processes meet the stringent requirements.

Derrick Cameron, Technical Director of Eximium comments “Our accreditation with BSI to these standards will prove to our customers and suppliers alike that we view quality as a highly important aspect of our relationship with them”.

For more details about how Eximium is striving to meet high standards in all aspects of its business, contact them directly.

Eximium expands into new offices to accommodate growth

Business IT specialists Eximium have completed their move into their new office space at Regus Business Centre, Capability Green, Luton.

The decision to leave their current premises was largely down to space and the desire to have more flexibility in their accommodation.

“Our new offices offer a wide range of meeting rooms of various sizes. This means that we can meet up with clients, and offer training and workshops sessions, no matter how big the number. It’s also just off the M1 and close to Luton Airport so we can be in London, Birmingham or Glasgow for that matter, in just over an hour” comments Paula Wheatcroft, Eximium’s Operations Director.

The new office is situated in the Capability Green business development, which is the premier business park of the east of England, according to the Bedfordshire & Luton Economic Development Partnership. It is close to the M1, M25, mainline trains into Kings Cross, London and Luton Airport. Eximium will share the site with companies such as Ernst & Young, Siemens plc, Bae Systems, Anritsu & Astra Zeneca.

UK businesses under renewed attack from virus and spam attacks

According to the 2006 Annual Security Report published by MessageLabs, viruses and spam attacks are on the increase.

The key findings of the report include the frightening conclusion that spam volumes have increased by 70% in the last quarter of 2006. The outlook for 2007 looks bad for UK businesses, as they will be increasingly targeted by more malicious messaging attacks than previously.

Small to medium sized businesses are becoming a greater target, as they are often a gateway into larger organisations who they serve.

After reviewing the reports findings, Derrick Cameron, Technical Director for business IT specialist Eximium, concludes that “The report highlights just how important it is to get your email security working properly and explore new solutions”. He also feels it is vital to review security measures “A lot of attacks involve ‘social engineering’, where members of staff are manipulated into giving out secure information by people posing as employees, security staff, etc. It is important to have a clear security policy to guard your valuable information and to be vigilant against this type of attack”.

Eximium is investigating new cost effective ways to guard remotely against viruses and spam and can be contacted directly for more information on how to prevent security breaches.