Locks and Security News: your weekly locks and security industry newsletter
24th April 2024 Issue no. 702

Your industry news - first

We strongly recommend viewing Locks and Security News full size in your web browser. Click our masthead above to visit our website version.

Aussie businesses 'soft targets' for hackers, says security expert

In its latest report, Dimension data subsidiary, Security-Assessment, warns that, unlike the United States where companies are required by law to disclose details of data security breaches, and the UK, where internet service providers and telecommunications companies are required by law to disclose data breaches under the current European Union data protection directive, no such legislation exists in Australia.

"Currently the focus is on the clean-up of data security breaches rather than prevention. There has been no impetus for businesses to reveal data exposures and minimal fines imposed, which means there is limited incentive for businesses to comply with the PCI DSS," says Roger Greyling, a security consultant with Security-Assessment.com.

"As we saw with recent high profile data breaches at Sony and Lush Cosmetics, an organisation's reputation and assets are constantly vulnerable to attack from unscrupulous individuals," Greyling cautions.

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognised information security standard for organisations that store, process or transmit cardholder information. In 2004, with the collaboration of five major international credit card companies, the standard was created to improve controls around cardholder data for the purposes of reducing credit card fraud.

According to Greyling, the Information Commissioner's Office (ICO) in the UK can now impose a penalty of up to £500,000 for breaching the Data Protection Act, the result of which is likely to be a "heightening of vigilance and installation of robust security measures in that region."

On Australia, Greyling says that as international hackers find it tougher to breach the increased security measures set up by businesses in their own countries, "there is a growing danger that Australasian companies will be seen as soft targets by these same hackers."

In 2011, Security-Assessment.com had dealt with an increasing number of businesses that have experienced security breaches, according to Greyling, but he says that much of it goes unreported. "It happens more often than people realise. When it comes to data security, prevention of a breach is clearly better than any costly cure."

Greyling cites Australian payment processing company Debitsuccess as a leading example of a business that has taken the initiative to comply with the latest version of the PCI DSS.

"Debitsuccess handles billing for more than 1,200 businesses, making them one of the largest full service direct debit initiators in Australasia. After initial due diligence, Debitsuccess decided to seek Level 1 compliance under the new 'version 2.0' Standard, which was not a compulsory requirement at the time."

According to Greyling, having now achieved a passing Report on Compliance (RoC), Debitsuccess is one of a few companies in Australasia to meet the latest version 2.0 requirements. "Although Debitsuccess does not currently process the number of credit and debit card transactions that would mandate an external assessment to accredit the company as being Level 1 PCI DSS compliant, their exceptional achievement in a relatively short period of time puts them on the leading edge of businesses that take information security seriously."

"The bottom line is that there needs to be a unified approach across government and financial institutions that moves Australia towards motivating businesses towards stricter compliance with the PCI DSS if we are to avoid becoming soft targets for data hackers on the global stage," Greyling concludes.

18th January 2012