Everybody holds valuable information. A recent article by McAfee, “The Hidden Data Economy”, suggested that a payment card number with CCV (the 3 digit pin on its reverse) Sells for $20 to $25 in the UK. Online payment service details are even more valuable; depending on the account balance, the details sell for $200 to $300 each.
What should you do about this? Well, it depends on a number of factors, such as whether you deal with the general public (known as “business to consumer”) or just with businesses (“business to business”), what information you hold, the volume of information, and so on. And just who should you work with to help protect information? There are an almost infinite group of people that purports to be information security/cyber-crime experts, so just how do you go about choosing the right way forward?
One of the best things you can do is build a system to manage your information security, and have it independently validated. In this way you are making a public declaration that you take the subject seriously, and, heaven forbid, the Information Commissioner’s Office [ICO] has reason to look into your business, the first thing thy will ask is “what have you done to try to prevent breaches?”. They themselves have said they will look more favourably on an organisation that has taken positive steps such as ISO 27001 or BS 10012 certification.
There are three standards we recommend to people, depending on their situation, listed below. None are easy, but they do range in their complexity. Do read the individual standard pages for more information.
Episode does not claim to be information security experts. What we are expert at is building robust management systems. Whenever we build a system the first thing we do is bring in our information-security/cyber-security partner to conduct a technical review (using a variety of tools such as penetration testing, network “sniffers”, etc). Where between us and our client we believe we need specialist help, they can then address any issues found.