Small businesses need better security advice

| 1 Comment | No TrackBacks
| More

I was concerned to read a recent report of a study by SecurityMetrics, a vendor of merchant data security solutions, which claims that 71% percent of the merchants who took part were found to store unencrypted payment card data. This is direct violation of the mandatory Payment Card Industry Data Security Standard (PCI DSS). And it apparently reflects an increase of 8% on last year.

Who is at fault? That's not difficult to pinpoint, given that Visa estimates that its smallest business customers account for 95% of its breaches. Why are small businesses to blame? The answer is that no one has bothered to educate them. Who should have done this? Industry and government are both at fault.

It is well over a year ago since the Information Commissioner's Office published my research into the availability of advice on security for small/medium sized organisations. It was pretty damning, pointing out that most advice was unsuitable, incomplete or in the wrong place. Amongst other things it pointed to the absence of any advice on PCI DSS on the major educational sites.

The report was widely discussed and presented. Yet little seems to have been done. Where does one look? A quick glance at Get Safe Online turns up a blank on PCI DSS. A pointer from Get Safe Online to a Business Link site results in a server error on the first question. A pointer from Get Safe Online to Microsoft's Small Business Centre contains no mention of PCI DSS. A click to a Symantec guide results in an "access forbidden" message.

So who should take the lead in leading on advice to small companies? Given that the UK Government has such a high-profile investment in cyber security, I think they should start to roll up their sleeves.  

Enhanced by Zemanta

No TrackBacks

TrackBack URL: http://www.computerweekly.com/cgi-bin/mt-tb.cgi/45218

1 Comment

Try Googling PCI DSS, pleny of info there.

Businesses put plenty of effort into getting their tax and VAT right, because they know they will be hammered if they don't. Perhaps we need the same with cyber.

Leave a comment

About this Entry

This page contains a single entry by David Lacey published on December 13, 2011 7:10 PM.

Following the rules of the game was the previous entry in this blog.

No fix in sight for SCADA security is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Archives

 

-- Advertisement --