Security confidence and online services
Reminders of the impact that a compromised website can have on users and on an organisation’s reputation surface regularly in the News. What factors should users and organisations be mindful of in selecting the right solution provider?
For the user, a data breach ignites fear that their personal details have been obtained and possibly used. For organisations, it is the loss of credibility, financial recompense or loss and legal liabilities.
Some hacks have been blamed on infiltrations from associated services where users have used identical credentials to gain access, most commonly the same password. Others cite phishing campaigns as the source of taking the necessary details to access accounts. Whatever the reasons for these unauthorised attempts at access, security breaches of this kind can lead to a loss of confidence in the organisations involved.
The Data Protection Act, at its core, defines how personal information can be used by an organisation, business or governing body. It set out to ensure that strict rules are followed and that any data held is used fairly and lawfully. All data held by an organisation should be accurate, used for limited and specifically stated purposes, and is safe and secure.
Risks and vulnerabilities within a system can be filtered out using appropriate ongoing penetration testing. This kind of testing for any online service attempts to identify any vulnerabilities that could potentially be exploited by hackers. Various testing methods are adopted including mimicking those used by intruders in order to infiltrate in place data security measures. Finding the weaknesses using ethical hackers, closes identified potential gateways to the system and data.
In parallel with Pen Testing, implementing security risk management policies and procedures will also inspire confidence. The ISO/IEC 27001 Information Security Management System (ISMS) standard is widely known and introduces necessary controls. It states the systematic approach to managing sensitive data so that it is and continues to be secure. Included in the ISMS are people, processes and IT systems. Obtaining the certification of the ISO/IEC 27001 leads to best practice and offers reassurance to clients and customers. But it also defines the culture and quality of care and concern that a software supplier has when dealing with someone else’s sensitive data.
The third level of assurance to clients and customers is registration to the ICO Data Protection Registry. It is a legal requirement to be registered with the ICO for any organisation that holds and processes personal information, so it is not optional and is a requirement under the Data Protection Act 1998. Pinewood Technologies PLC, the provider of Licence Link is registered with the ICO.
The importance of security for online services is imperative. Exhaustive testing and audited standards must be in place and ongoing for any software provider to inspire confidence in their security measures.