Another week; another data breach. Bet24 is the latest company to admit personal details of its customers may have been compromised, although even Sony – the most criticised of the lot – didn’t wait two years before it told everyone.
Nevertheless, Bet24 joins a rather long list of high profile brands which have suffered potentially damaging hack attacks over the past few months. It also busts the commonly held belief that PCI compliance and the threat of a £500,000 fine from the Information Commissioner’s Office is enough to keep companies in check.
Getting data protection right has never been more important than it is today. As a nation, we are increasingly asked to complete transactions online and provide our personal details. Real data security can only be achieved by companies treating security with the importance it deserves, and this means from board-level down.
PCI compliance is the minimum requirement for securing cardholder data, but this should be supported through rigorous testing and company-wide policies, certified through the likes of ISO 27001. Many companies are doing the minimum to comply and are not as secure as they could be, failing to actually test any safe measures and monitor them on an ongoing basis.
PCI compliance is a must for all call centres that regularly handle financial transactions. However, in addition to this companies should have regular procedures written up to test and monitor.
Having worked with a number of charities and banks to provide hosted call centre solutions, here are the top ten measures and tests we put in place:
• Regularly test security systems and processes (employ a specialist firm to try to break into your network)
• Have the design of your network ratified by a specialist
• Implement Strong Access Control Measures
• Restrict access to all data, including cardholder by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Regularly monitor and test networks
• Track and monitor all access to network resources and cardholder data (is someone logging on at 2am for example?)
• Maintain an Information Security Policy
• Maintain a policy that addresses information security – ISO 27001 is an excellent means to do this and to prove you do through certification.
No-one should under-estimate the potential harm a data breach can cause, not just financially, but in terms of brand damage. Yet there is no quick fix; as many have found to their cost, staying one step ahead of the hackers is where the challenge really lies.
Matthew Bryars is chief executive of Aeriandi
Related stories
Bet24 admits breach – 2 years on
Sony refuses to take blame for hack
Sony: ‘Anonymous’ sparked hack
EU chief sticks the boot into Sony
