Businesses need to raise their game on the security of their web sites, as regulators and industry bodies begin to take a tougher line on compliance, a leading analyst has warned.
Graham Titterington, principal analyst at Ovum, said that businesses face a greater likelihood of enforcement action this year, if they lose data, or breach industry security standards.
"Proving your security is a non-trivial exercise and involves putting in a whole raft of measures. It's got the attention of the board and caused them to open their wallets," he said in an interview with Computer Weekly.
Sign-up to Computer Weekly to download Ovum's report: Security trends to watch in 2011
The industry security standard for web sites that sell over the internet, PCI DSS, will affect a wide range of businesses. The standard has been around for some time, but is now being enforced more vigorously, said Titterington.
"Organisations will have to take security more seriously. That is the message. PCI DSS has been around for ages, but security requirements that we have known about for a long time are suddenly becoming real. People will have to start raising their game," he said.
In the UK, the Information Commissioner, often regarded as a 'paper tiger' has acquired significant new powers to levy fines and is using them, said Titterington.
"If you look at the fines he has imposed where people have allowed data breaches as a result of serious negligence, it is clear he is prepared to punish in a meaningful way," he said.
Other regulators are also stepping up enforcement action.
Last year, for example, the FSA fined Nationwide nearly £1m for failing to properly manage information security risks after a laptop containing sensitive data went missing.
And it fined Norwich Union Life, £1.26m after fraudsters obtained sensitive customer data, including addresses and bank account details from its call centres.
In Europe, the Solvency II regulations will put new pressure on insurance companies - generally seen as lagging behind the rest of the finance industry - to improve their information security.
"If you are an insurance company it will be occupying a lot of your attention," said Titterington.
The trend to tougher regulation comes as business face growing threats from cybercrime. The black-market value of stolen credit card and bank details has collapsed, a factor which is encouraging hackers to target company data.
"The clever guys are going after more high-value intellectual property, sometimes stolen to order. They are not simply looking for credit cards, but information they can sell for a higher price, use for blackmail or monetise."
Some 3,000 US companies fell victim to hacking from China last year, said Titterington.
"Its not unusual for companies to find replicas of their products in the Far East before they are launched. Apart from loss of sales, it can undermine the brand when inferior copies come on the market."
"There has been a lot of hype, but the threat of information theft has been underestimated," he said.
Advice for businesses
- Identify key risks to your business and plan your security around them
- Keep multiple security logs and make them tamper-proof
- Make sure employees follow good security practices, for example not removing sensitive data on memory sticks
- Cut security costs by automating patch management
- Remember good security is as much about good processes and personal discipline as about technology
Sign-up to Computer Weekly to download more reports from Ovum