How the Workplace Will Change in the New Year

What does the future hold in store for your small business’s workplace? The Herman Group just released its 2014 Workplace Forecast, which seeks to help shed some light on the answer. Below are new year workplace trends I think will matter to small business owners and what you can do to take advantage of them.

1. As the economy improves, companies of all sizes will be hiring. But it won’t be easy due to an expanding workforce shortage. Companies have been reluctant to spend on training and development, leading to severe shortages of trained workers in many fields.

What can you do? The reality is, you may need to provide training to bring new employees up to speed. Tap into free or low-cost training offered by resources in your area, or have current employees cross-train new workers.

2. Communities will join forces to end worker shortages. Local governments and economic development departments are recognizing the risk that a shortage of qualified workers brings to the local economy, so they’re partnering with businesses and schools to help train tomorrow’s employees today.

What can you do? Get involved with local schools, adult education facilities, colleges and universities to make connections with potential employees and to put your “two cents” in as to what type of training is needed.

3. Unemployment rates will stay relatively high. Unfortunately, that won’t help solve the talent shortage. Many of the long-term unemployed lack desirable work experience or life skills, or their skills have atrophied from being out of the workforce so long.

What can you do? Unemployment can mean opportunity for small business owners to hire experienced, eager, often older workers who aren’t interested in career paths. Look for workers who have made an effort to learn new things and keep their skills fresh. Also, be open to unemployed workers who are seeking to transition to a new industry because their prior careers are now obsolete.

4. Be prepared for disasterâ€"both natural and otherwise. The increasing frequency of natural disasters and extreme weather conditions means businesses of all sizes need to be prepared for disaster. Don’t just consider how a disaster or extreme weather could affect you, but also how it might impact customers and suppliers. For instance, Southern California, where I live, is enjoying gorgeous, sunny weather right now, while most of the nation is enduring sub-freezing temperatures, which has hampered shipments from that part of the country.

What can you do? Make a plan not only for dealing with disaster in your region, but also for operating if you’re cut off from your regular suppliers or vendors. Also, consider man-made disaster in the form of workplace violence. With an increasing incidence of and attention to workplace shootings, it’s important to take employee complaints seriously. Develop a plan for dealing proactively with conflicts and communicate a plan to deal with the worst-case scenario.

5. Layoffs aren’t over. Even as the economy improves, companies of all sizes will continue re-engineering, eliminating some positions and either automating those jobs or hiring fewer, but more highly skilled workers to fill new, more complex roles.

What can you do? If you don’t want to lay off staff, call on your employees to help you find new ways to do things better, faster and more cost-effectively. They may have great ideas for ways you can do more, make more profit and keep all your people.

6. Retention still matters. Employees will be more confident about job-hopping as the economy continues to strengthen. As the Affordable Care Act shakes out, people who held onto jobs just to keep their health insurance will finally be able to quit.

What can you do? If you haven’t worried about keeping your employees engaged and happy, you’d better start now. Find out where your employees envision being in one or five years and plan a program to get them where they want to be.

Change Conept Photo via Shutterstock

More in:

Facebook Ends (Some) Sponsored Stories Amidst Fake Endorsement Lawsuit

If you blinked you might have missed it. In a recent edition of its “Platform Roadmap” published in Facebook’s development section, the company said it would “sunset” its sponsored stories advertising option.  Or they may only be sunsetting a type of sponsored story.  Like much of the language around Facebook’s ad products, it’s bafflingly confusing and unclear.

But the part we do know, at least, is that sponsored stories that show certain aspects of what other people Like, are being discontinued effective April 9, 2014.

This ad product is not to be confused with “promoted posts” (which are staying).  Promoted posts are when you pay to promote one of your own Facebook update posts.  Those remain unchanged by this announcement.

The sponsored stories at issue here appear to be the ones involving a business paying to turn someone else’s Like activity into an ad.  These involve Likes of a business’s website (“domain sponsored stories”) , and Likes of a business’s app or story in an app (“open graph sponsored stories”).

Say, for instance, that your name is Courtney Cronin and that you “Liked” something on the Jasper’s Market website.  Jasper’s Market could pay to have that action (with your name and face attached) turned into a sponsored story ad.   (See image above).

So why are they being discontinued?  Facebook doesn’t say.  But, sponsored stories have been controversial.

Facebook says these notifications provide sponsors with “social context” showing that users are interacting with the brand. But critics of the sponsored stories feature have said that it gives the impression of an endorsement and should require a user’s consent for use of their image and name.  So in the example of Courtney Cronin, if Courtney happens to be a prominent food critic and writes a popular food blog, it could amount to a valuable endorsement, without paying Courtney anything for the use of her name and likeness.  If you were Courtney, you might not like that.

The elimination of sponsored stories may have something to do with a class action suit recently filed against Facebook which seems to connect to the feature.

This lawsuit alleges that Facebook “faked” likes from a Colorado man, Anthony DiTirro, (and perhaps others).  It claims Facebook also featured DiTirro’s photo and name on a sponsored story paid for by USA Today. DiTirro is asking for $750 in damages for himself and restitution for any other users affected.

Conspicuously, the suit was filed the same day Facebook announced it would discontinue the sponsored stories feature, observed Marketing Land.

In its announcement on the official “Platform Roadmap” outlining future Facebook developments, the company seemed to downplay the importance of the sponsored stories feature, explaining:

“Page post and page like ads already automatically have the best social context (likes and comments) added.”

Got that?  It wasn’t very clear to us either.  But one thing that seems clear is that you can no longer create new sponsored stories that involve Liking something on a company’s webpage. And existing ones have to be finished with their runs by April 9th.

The concession may speak volumes. Critics have insisted that Facebook sees its users more like products than customers. But it is their interest that drives activity on the site and their attention advertisers are paying to capture.

We’ll update this story as the facts become clearer.

Image: Facebook

More in:

6 Ways to Create A Positive Brand Perception

“Life isn’t about finding yourself. Life is about creating yourself.” ~ George Bernhard Shaw

We hear this all the time - perception is reality. Do you agree with this and believe in it?

I do.

Our personality and professional image sets the tone and stage for how we are all perceived. With the reality of a 24/7 online media world that can change things in a real-time split second,  one small wrong move or right move can go viral and change everything.

What does your social brand say about you online? This is your calling card and visual home that people will use to determine why connecting with you is viable and has value.

Creating a positive brand image today is a combination of many factors including your visual presence, relevance, value, character and ability to serve, engage and move people.

Ultimately, it’s a blend of our IQ - Intellectual Intelligence, EQ - Emotional Intelligence and I what I like to call, your SQ - Spiritual Intelligence.  We control our perception destiny far more than we realize.

Below are 6 ways to create a positive brand perception, which we shape by how we look, what we say and what we do.

Update Your Technology and Your Website

We are getting  very “smart” from phone, TV, 3D, and online and web learning. So keeping up with the latest technologies reflects  the value you can deliver to your customers and community. There is a current look to Web technology with widgets, slide shows, social integration, linking that we all use, expect and want.

Make sure yours reflects this.

Invest In Your Professional Branding

Having your own look, logo and image across all your marketing and social platforms helps you stand out, be more unique and says “I’m serious.”

Invest in yourself and your branding.  Get a referral for a graphic designer from your network whose work you like.

Qualify Your Relationships and Connections

I wish everyone well, but qualifying the best people, communities and activities to invest my business time on is crucial.

Build relationships and connections with those who can help you grow toward your goals the most.

Increase Your Dedicated Meetings and Conversations

Dedicated in person meetings or phone calls does more to move a relationship forward than just about anything.

Making the time to get more personal and get to know people shows your interest in them and creates the opportunity for them to get to know you better, too.

Commit More Time to Purposeful Social Media Marketing

Eighty six percent of marketers say social media is important for their business. One of the biggest benefits of social media is its ability to connect and engage with people on a regular basis. Facebook is the top social media followed by YouTube, Twitter,  Google+ and LinkedIn.

Smart, strategic activity that keeps you in front of key people will grow your business relationships.

Get Out, Join and Volunteer

Attraction marketing is everything you do both in person and online that puts you out there to meet people and share your expertise and personality.

Be involved in your industry, community and niche daily. Suit up and show up and be an active participant, not a quiet bystander.

Our personality and professional image sets the tone for how we are all perceived. How we look, what we say and what we do can leave a positive, lasting first impression or ending impression. It’s up to us to be consistent, authentic and fresh  in all of our self marketing activities. Learn from these top 10 brands on social media.

Relationships are gold but they take time. Invest the time in the right people and it will boomerang back to you.

Perception is reality - and we can create them both in positive and memorable ways.

Half Empty or Half Full Photo via Shutterstock



Careless staff beats theft and malware as biggest CISO fear

Careless employees are the biggest security concern for IT professionals, research shows, prompting calls for CISOs to step up staff education and the use of technology.

Sixty per cent of 110 IT professionals surveyed by service provider SecureData view employee carelessness as the biggest risk to their organisation's security - well above “the usual suspects” like data theft (13 percent), external malware (10 percent) and technology failure (7 percent).

Operations teams are seen as the biggest risk (40 percent), followed by finance staff (13 percent), while cloud security - often raised as a potential issue - was not once cited as  a primary security concern.

However, while the survey easily identified the main issues at hand, it found that agreement on how to tackle the problem in less certain. While 40 percent of respondents felt educating employees was the most important step to improving security, 25 percent said that implementing a clear security management policy was their weakest area.

SecureData CEO Etienne Greeff said the answer is for CISOs to educate staff to follow simple security policies. He told SCMagazineUK.com:

“Security professionals shouldn't be getting sidetracked by new technologies; their focus should be on producing a simple and straightforward security policy that's easy for employees across the organisation to understand. Once a policy is in place, it is then the responsibility of the C-level to ensure this security message is hammered home internally.”

Amar Singh, chair of the UK Security Advisory Group at global user group ISACA, said the Government's newly launched ‘Cyber Streetwise' scheme could help in achieving this, as it offers practical security advice aimed at consumers and SMEs.

“Education and awareness are long-term initiatives that involve changing long-held beliefs (‘I don't need a secure password') and behaviour (‘do I really need to lock my PC when I got to the bathroom?), Singh told SCMagazineUK.com.

“Consequently, organisations need to complement their short-term, training-based approach with a longer-term, regular and consistent awareness and education programme on information security.”

Independent security expert Bob Tarzey, director of research firm Quocirca, agreed that firms need to focus on staff education - but backed up by technology and tough penalties if employees ignore what they've been taught.

“You need to make your employees more aware through education - but it's also putting in place policies that they realise the penalty for breaking them,” he said, when speaking to SCMagazineUK.com. “So for instance, if you do something really stupid through carelessness which is against the policy that you're supposed to know thoroughly, then there can be a disciplinary procedure.

“It's having policy, making people aware of the policy, how to take care of data and being clear that there can be sanctions for being casual about policy - but also don't leave it all to the employees, put technology in place to help them.”

SecureData's Greeff said that one encouraging finding from the research is that a holistic approach is becoming more central to security strategies.

“Assessing risk, detecting threats earlier, protecting valuable assets and ensuring a quicker response to breaches will result in more robust IT security and our research show that security professionals are beginning to recognise the importance of this.

“In order to address security threats in a manageable way, companies need to start thinking less about these new technologies and point solutions, and more about risk and real-time security intelligence.”



Target under fire despite promising cyber education

Major US retailer Target has started its fight-back from the disastrous loss of tens of millions of customer credit card and other records.

Major US retailer Target has started its fight-back from the disastrous loss of tens of millions of customer credit card and other records just before Christmas - only to run into criticism from a leading UK cyber security expert over its response.

Target this week launched a press relations blitz, promising to adopt more secure technology, apologising for the attack in full-page adverts in newspapers across the US, and donating $5 million (approximately £3.04 million) to a campaign to educate the public on the dangers of online scams.

But Dr Guy Bunker, senior VP of products at UK cyber protection firm Clearswift, said in a statement to SCMagazineUK.com: “$5 million is a start - but they need to work out what it is they are trying to educate people on. This wasn't consumers getting it wrong, it was them!”

Bunker added: “So consumers will need to be educated on how to spot fraudulent use of their credit cards. Of course it could be wider than this, how to spot phishing and other cyber attacks - both at home and when at work.”

As reported by SCMagazineUK.com, Target is reeling from one of the biggest credit card losses ever reported. In December it admitted data from about 40 million customer credit and debit cards could have been stolen from its stores between 27 November and 15 December. Last week, it conceded more personal data - including the names, email addresses, mailing addresses and phone numbers - of 70 million more individuals had also likely been hacked. The theft came through malware installed on Target's point-of-sale registers.

In response, Target chairman and CEO Gregg Steinhafel said in a TV interview earlier this week that the company wants to adopt more secure technology, by leading the US retail industry's move to chip and pin payment card technology.

But Dr Bunker advised that Target needs to take much wider action to secure its customer data.

“They need to put in place three rings of protection: one, prevent the infection in the first place (using anti-virus and white-listing); two, detect the infection when it's there (through network packet analysis); and three, prevent the information leaving the organisation (deep content inspection and data loss prevention),” said Bunker.

“For number three, they should also be considering advanced technologies, such as adaptive redaction, to ensure that even in ‘everyday' business, where you don't want business to be interrupted, no critical information is transferred outside the organisation.”

Bunker said Target should also be looking at “regular network and application security penetration testing, to check there are no - or fewer - holes in their security, and that none are inadvertently opened up in the future”.

Steinhafel apologised to Target customers in an open letter published in US newspapers this week. He said: “Our top priority is taking care of you and helping you feel confident about shopping at Target, and it is our responsibility to protect your information when you shop with us. We didn't live up to that responsibility, and I am truly sorry.”

Steinhafel added that Target has “closed the access point that the criminals used and removed the malware they left behind” and “hired a team of data security experts to investigate how this happened”.

He confirmed Target customers will have “zero liability” for any fraudulent charges arising from the breach and that the company is offering one year's credit monitoring and ID protection for all customers.

Target's $5 million donation is going to a US cyber security education campaign run by the National Cyber-Forensics and Training Alliance (NCFTA), National Cyber Security Alliance (NCSA) and Better Business Bureau.



NSA backlash continues: UK firms move data out the US

British companies are fighting back against government surveillance in the U.S. 21 percent of UK firms are moving their hosted information out of the country because of security concerns.

That's according to an independent survey of 300 British and Canadian small businesses, commissioned by cloud hosting firm Peer 1 Hosting. The study finds over a fifth of UK firms and one-third of their Canadian counterparts are relocating their information away from US-based data centres because of the NSA intelligence agency scandal, revealed last summer by whistleblower Edward Snowden.

The survey comes ahead of US President Obama announcing a new policy on mass data surveillance on Friday, although this alone may not be enough to reassure British firms. German media, which has followed the case closely since news emerged on the NSA hacking Chancellor Angela Merkel's phone, this week reports that a senior government source believes the clampdown is likely to stop short of promising to end NSA spying on ‘allies'.

The Peer 1 Hosting survey charts fear and confusion among cloud service users. The top hosting concerns defined by the survey were security (96 percent) and data privacy (82 percent). Despite this, many UK and Canadian cloud users don't fully understand current data privacy laws - 60 percent admitted that they don't know as much as they should and another 44 percent were confused by the laws.

The survey also suggests the spying scandal has had a significant impact on non-US cloud service providers. Nearly seven out of 10 (69 percent) of decision makers say the mass surveillance has made them more sceptical of data hosting providers everywhere and 57 percent are less likely to use a public cloud as a result.

Steve Durbin, global vice president of the Information Security Forum (ISF) user group, believes that this confirms that the NSA scandal has encouraged cloud users to “ask the right questions about how their information is being stored, managed and handled”.

 “We're starting to see businesses taking a very much more open-eyed approach,” he told SCMagazineUK.com. “The whole NSA thing has actually served a useful purpose - it's getting people to think much more about what information they're putting into the cloud, where it's being stored, how it's being accessed, and asking questions of the providers as to what exactly they are obliged to do under in this case US federal law.

“As a result, I think businesses are saying that from a risk point of view it might make more sense for us to be storing some of this information in Europe, in the UK or within our own borders, if we can't get satisfactory answers from cloud providers or indeed if the answers from a risk perspective just seem too high for our business.”

Meanwhile, independent privacy researcher Caspar Bowden questioned whether President Obama's impending review will add any significant protection to British citizens, let alone UK businesses.

Bowden, a former chief privacy adviser to Microsoft, told SCMagazineUK.com: “The rights of foreigners simply haven't been part of the US debate - so far.”

 “The key international question regarding Obama's NSA reforms is whether he will recognise the human right to privacy of non-Americans, who currently have no protection whatsoever under the FISA law,” he explained. “Both the EU Commission and Parliament have demanded equal treatment with US citizens.

“However, Obama's NSA review panel did not go anywhere near as far, only recommending that non-US citizens are covered by the US Privacy Act 1974. We know that after numerous exemptions and exclusions an EU citizen will only be able to access data they themselves have supplied, everything else will be ‘redacted'. It's a hollow non-solution, very far from the idea of giving EU citizens full legal rights in US courts.”

The survey shows UK and Canadian firms trust the US far less than they do many other countries. Yet despite that, the US still remains the most popular country to host their data, outside of their own country.

‘Security of my data' ranked highest among all factors considered by decision makers when selecting a hosting provider, even over performance. More than three-quarters (77 percent) of decision makers would rather host their data in a highly secure but latent facility, rather than in a facility that guarantees top speeds but which is less secure (9 percent).

Meanwhile, a related report from the New America Foundation this week found that the NSA's surveillance programmes have had a “minimal” contribution in catching terrorists.



NSA backlash continues: UK firms move data out the US

British companies are fighting back against government surveillance in the U.S. 21 percent of UK firms are moving their hosted information out of the country because of security concerns.

That's according to an independent survey of 300 British and Canadian small businesses, commissioned by cloud hosting firm Peer 1 Hosting. The study finds over a fifth of UK firms and one-third of their Canadian counterparts are relocating their information away from US-based data centres because of the NSA intelligence agency scandal, revealed last summer by whistleblower Edward Snowden.

The survey comes ahead of US President Obama announcing a new policy on mass data surveillance on Friday, although this alone may not be enough to reassure British firms. German media, which has followed the case closely since news emerged on the NSA hacking Chancellor Angela Merkel's phone, this week reports that a senior government source believes the clampdown is likely to stop short of promising to end NSA spying on ‘allies'.

The Peer 1 Hosting survey charts fear and confusion among cloud service users. The top hosting concerns defined by the survey were security (96 percent) and data privacy (82 percent). Despite this, many UK and Canadian cloud users don't fully understand current data privacy laws - 60 percent admitted that they don't know as much as they should and another 44 percent were confused by the laws.

The survey also suggests the spying scandal has had a significant impact on non-US cloud service providers. Nearly seven out of 10 (69 percent) of decision makers say the mass surveillance has made them more sceptical of data hosting providers everywhere and 57 percent are less likely to use a public cloud as a result.

Steve Durbin, global vice president of the Information Security Forum (ISF) user group, believes that this confirms that the NSA scandal has encouraged cloud users to “ask the right questions about how their information is being stored, managed and handled”.

 “We're starting to see businesses taking a very much more open-eyed approach,” he told SCMagazineUK.com. “The whole NSA thing has actually served a useful purpose - it's getting people to think much more about what information they're putting into the cloud, where it's being stored, how it's being accessed, and asking questions of the providers as to what exactly they are obliged to do under in this case US federal law.

“As a result, I think businesses are saying that from a risk point of view it might make more sense for us to be storing some of this information in Europe, in the UK or within our own borders, if we can't get satisfactory answers from cloud providers or indeed if the answers from a risk perspective just seem too high for our business.”

Meanwhile, independent privacy researcher Caspar Bowden questioned whether President Obama's impending review will add any significant protection to British citizens, let alone UK businesses.

Bowden, a former chief privacy adviser to Microsoft, told SCMagazineUK.com: “The rights of foreigners simply haven't been part of the US debate - so far.”

 “The key international question regarding Obama's NSA reforms is whether he will recognise the human right to privacy of non-Americans, who currently have no protection whatsoever under the FISA law,” he explained. “Both the EU Commission and Parliament have demanded equal treatment with US citizens.

“However, Obama's NSA review panel did not go anywhere near as far, only recommending that non-US citizens are covered by the US Privacy Act 1974. We know that after numerous exemptions and exclusions an EU citizen will only be able to access data they themselves have supplied, everything else will be ‘redacted'. It's a hollow non-solution, very far from the idea of giving EU citizens full legal rights in US courts.”

The survey shows UK and Canadian firms trust the US far less than they do many other countries. Yet despite that, the US still remains the most popular country to host their data, outside of their own country.

‘Security of my data' ranked highest among all factors considered by decision makers when selecting a hosting provider, even over performance. More than three-quarters (77 percent) of decision makers would rather host their data in a highly secure but latent facility, rather than in a facility that guarantees top speeds but which is less secure (9 percent).

Meanwhile, a related report from the New America Foundation this week found that the NSA's surveillance programmes have had a “minimal” contribution in catching terrorists.



Patient data could be vulnerable in new NHS database

The National Health Service has started migrating patient data onto a centralised database, but with improved manageability comes concerns over potential breaches and data losses.

The NHS has started posting leaflets to UK households on its intention to save and store all GP patient data at a centralised database.

The leaflet invites patients to opt out of the programme if they wish, while all the data is collated by the NHS Health and Social Care Information Centre (HSCIC) to improve analysis of trends that could help plan future health services.

The HSCIC, perhaps anticipating concerns over data protection considering the number of NHS data breach incidents over the years, says that the centre is a “safe haven” but that hasn't reassured the infosec community concerned that the database will be susceptible to data breaches and losses, even from inside the same organisation.

 “As plans go up a gear on creating and making available aggregated, but still sensitive, patient data for research and commercial purposes, security is bound to be on the agenda of the NHS or this grand project is going to go nowhere,” Marc Lee, Director EMEA at risk management company Courion, told SCMagazineUK.com.

Lee went onto urge the NHS to implement “stringent access risk analysis”, and voiced concerns that the end user is likely to the biggest worry.

“While there will much attention paid to external defences, critical to maintaining public trust in the database is how widening legitimate access to patient data must come with tough but smart identity access management strategies.  

“The truth is the majority of serious data breaches use stolen or misused legitimate access privileges,” he said. “So even the most imposing firewall defences can be sidestepped. Patients will be more reassured if the NHS followed the strategic starting point embraced by digital savvy businesses: anything that can be stolen will be stolen.”

IDC's Andy Buss, the consulting manager for Europe on data center infrastructure and client devices, told SCMagazineUK.com that while the move does “make sense” from the perspective of storing and sharing data, there are numerous security implications.

“There are challenges on how to guarantee the security and privacy of the data, and questions on how it works,” he said. Buss suggested too that GPs will likely use other solutions if the database proves unsuccessful.

“It takes many years to roll-out a centralised system and there are always parallel systems used to get on with business. There's a worry that the new system becomes partially used and bypassed.”

The IDC analyst said that a relative lack of standards, an issue raised on the topic of data exchange in a recent Health Information and Management Systems Society (HIMSS) report, is a worry in light of regular data thefts and losses, and stressed the importance of the new system employing encryption, synchronization back to the database, and utilising user privileges and tools which can track access.

Buss, like Lee, added that the end user will most likely be the biggest concern.

“There will always be risks, it's just about reducing the variants. One of the biggest threats is hacking, which while not necessarily an area where money can be made, can result in extortion and insurance implications.

“But the usual threat is that people make mistakes. Human error is always one of the biggest reasons for data leaks.”



Patient data could be vulnerable in new NHS database

The National Health Service has started migrating patient data onto a centralised database, but with improved manageability comes concerns over potential breaches and data losses.

The NHS has started posting leaflets to UK households on its intention to save and store all GP patient data at a centralised database.

The leaflet invites patients to opt out of the programme if they wish, while all the data is collated by the NHS Health and Social Care Information Centre (HSCIC) to improve analysis of trends that could help plan future health services.

The HSCIC, perhaps anticipating concerns over data protection considering the number of NHS data breach incidents over the years, says that the centre is a “safe haven” but that hasn't reassured the infosec community concerned that the database will be susceptible to data breaches and losses, even from inside the same organisation.

 “As plans go up a gear on creating and making available aggregated, but still sensitive, patient data for research and commercial purposes, security is bound to be on the agenda of the NHS or this grand project is going to go nowhere,” Marc Lee, Director EMEA at risk management company Courion, told SCMagazineUK.com.

Lee went onto urge the NHS to implement “stringent access risk analysis”, and voiced concerns that the end user is likely to the biggest worry.

“While there will much attention paid to external defences, critical to maintaining public trust in the database is how widening legitimate access to patient data must come with tough but smart identity access management strategies.  

“The truth is the majority of serious data breaches use stolen or misused legitimate access privileges,” he said. “So even the most imposing firewall defences can be sidestepped. Patients will be more reassured if the NHS followed the strategic starting point embraced by digital savvy businesses: anything that can be stolen will be stolen.”

IDC's Andy Buss, the consulting manager for Europe on data center infrastructure and client devices, told SCMagazineUK.com that while the move does “make sense” from the perspective of storing and sharing data, there are numerous security implications.

“There are challenges on how to guarantee the security and privacy of the data, and questions on how it works,” he said. Buss suggested too that GPs will likely use other solutions if the database proves unsuccessful.

“It takes many years to roll-out a centralised system and there are always parallel systems used to get on with business. There's a worry that the new system becomes partially used and bypassed.”

The IDC analyst said that a relative lack of standards, an issue raised on the topic of data exchange in a recent Health Information and Management Systems Society (HIMSS) report, is a worry in light of regular data thefts and losses, and stressed the importance of the new system employing encryption, synchronization back to the database, and utilising user privileges and tools which can track access.

Buss, like Lee, added that the end user will most likely be the biggest concern.

“There will always be risks, it's just about reducing the variants. One of the biggest threats is hacking, which while not necessarily an area where money can be made, can result in extortion and insurance implications.

“But the usual threat is that people make mistakes. Human error is always one of the biggest reasons for data leaks.”



Vimeo Makes Its Player Faster, More Social, Better for Mobile

If you use video regularly for business, you probably know that YouTube recently added live streaming for all users.

But you might not be aware that one of YouTube’s rivals, Vimeo, has “rebuilt” its video player.  The changes make the player faster, more compatible with mobile, and easier to share socially. There’s also an option to make it easier for you to monetize your content, to sell or rent your video on a pay-per-view basis.

In the official Vimeo Staff Blog, Brad Dougherty explains:

“The player may look (mostly) the same on the surface, but behind the scenes we rethought everything from the ground up. Our re-engineered back end means that videos load twice as fast, and we simplified the front end to make it compatible with way more devices.”

You can take a look at the new player:

Here are some of the main changes in Vimeo’s new player:

  • HTML 5 replaces Adobe Flash.  This is important because it will better render video on newer browsers and mobile devices (many of which do not even play Flash) as the older platform is phased out.
  • The share screen is redesigned with Facebook, Twitter and email buttons making it easier to share video in the most obvious ways. An embed code is accessible from the screen of each video.
  • Video playback time is improved.  Videos in many cases start in under one second, the company claims. One of the knocks against Vimeo in the past has been slowness, so the speed improvements will be welcomed.
  • An in-player purchase feature is added making it possible for you to rent or sell your video to viewers “on demand” from an embedded trailer you can embed on any site. Here’s a peek at the setup window for the in-player purchase feature:

Other changes include new subtitles and closed caption support. You upload a caption or subtitle file (Vimeo suggests using the free Amara service), so that people can read along, including in other languages.

A sync feature also allows you set scale, HD and volume preferences over all your videos.  The sync feature also pauses one video when you start to play another.

Keep in mind that Vimeo’s policies expressly forbid businesses to use its free accounts for any commercial purposes. There are some exceptions made for authors, artists and independent video production companies. So if your business involves any of these kinds of products you may need to investigated further to see whether you qualify.  Otherwise you’ll need to pay for the Vimeo Pro account at $199 per year. That’s less than $17 per month, and for a business expense may well be worth it.

Vimeo offers an ad-free platform with no commercial messages running before, after or over your business message.  Some consider ads the bane of YouTube videos.

Vimeo, while not quite as large as the mammoth YouTube, is one of the top 10 video sites in the United States. A comScore report for December 2013 shows Vimeo had nearly 33 million unique visitors and 142 million views for all its videos together.  Still, that’s less than one-fifth the unique visitors of YouTube.  But if you use video mainly on your website and in your social media channels, the viewers you reach through your channels will be the ones that matter to you anyway.

Image credits: Vimeo screenshots



Take the Test: Determine Your Small Business Health Score

This is a good time of year to assess the health of your company. Review these 10 elements and determine your small business health score to find out where you stand.

What is Your Small Business Health Score?

1) Cash Flow

Having a cash flow positive company is critical for success. This means the business has more cash at the end of the month than the beginning.

How to score: Add 2 points for cash flow positive. Subtract 2 points for cash flow negative (less cash at the end of the month).

2) Quick Ratio

This simple balance sheet formula divides current assets minus current liabilities. Ratios greater than one mean the company has enough current assets to pay its current bills.

How to score: Add 2 points if the company’s quick radio is above one. Subtract 2 points if it is below one. Note that a healthy quick ratio number will vary by industry.

3) Customer Annuities

This means repeat customers pay the company automatically every month.

How to score: Add 2 points if this is true. Subtract 1 point if the company needs to recreate its revenue and find new customers every month.

4) Fixed Overhead Expenses

High fixed overhead expenses do not give companies flexibility as sales and profit changes.

How to score: Add 1 point if most of the company’s expenses are variable. Subtract 1 point if most expenses are fixed or they are high compared to sales.

5) Management Team

Strong companies are not about their owners, but their team leaders.

How to score: Add 2 points for a truly collaborative organization. Subtract 1 point if the CEO makes all the top down decisions.

6) Employee Turnover

Loyal employees generate more profit for companies than those with high turnover.

How to score: Add 2 points if the company retains employees for at least 5 years. Add 1 point for 3-5 years. Subtract 1 point if employees stay 2 years or less.

7) Strategic and Focused Plan

Companies that have a written plan about where they are going and employees that are clear about the company’s direction succeed.

How to score: Add 1 point if every company employee can articulate the plan. Subtract 1 point if they can’t.

8) Systematic Sales and Marketing Plan

Many small businesses only market when they have no sales, but immediately stop when they do.

How to score: Add 2 points if the company has an ongoing systematic plan including social media. Subtract 2 points if sales and marketing is mostly improvisational.

9) Infrastructure

Growing companies need to have an infrastructure that supports them. Nextiva uses the integration of tools from Marketo, SalesForce, and NuviApp (social) to deliver reliable communication solutions to their business clients.

How to score: Add 1 point if the company has integrated systems that can be effectively used by employees and customers. Subtract 2 points if each system is independent from each other or does work effectively.

10) Outside Advisors

Small business owners need to ask for help.

How to score: Add 1 point if the owner has a formal advisory board. Subtract 1 point if the owner is insulated and never asks anyone outside the company for advice.

Scoring Totals:

Above 10: Congratulations! Your small business is healthy and well positioned for 2014. Look at improving any area where the score was negative to increase your strength.

0 to 9: At risk! Key parts of your small business need to be improved. You are vulnerable to changes inside and outside the company. Pay attention to the elements where your score was negative.

Below 0: Danger! Too many parts of your business are unhealthy and your company risks going bankrupt this year. Seek help immediately!

So what is your small business health score?

Test Score Photo via Shutterstock



Context is king

Context-aware security can make intelligent decisions to balance corporate confidentially with allowing mobile users to get the job done.

If we take a stroll through the streets of London, join the commute on the Tube, or even relax at the pub, we are bound to witness the effects of the mobile computing revolution. Individuals now have the power to shop, conduct business, entertain and collaborate - all at their fingertips. Mobility is having a transformative influence on how we work and interact, but as we explore the art of the possible, we must guarantee that the trust relationships we have - and the ones we will have - are not compromised.

The question that then arises is: How do we secure our mobile engagement? Market forces increasingly demand an answer. Analysts at IDC recently reported that in Western Europe a majority of companies in telecom/media, retail/wholesale and health care, rely strongly on mobile devices to access corporate resources or services in a mobile environment. According to another IDC survey, one of the most important objectives is security of proprietary data privacy and integrated access. But, as organisations explore their options, it is also important to note that in the mobile channel, security value needs to be demonstrated so that it complements rather than hinders user experience. Ill-advised security procedures may result in either non-compliance or non-participation - neither of which is the desired outcome.

The answer to the question posed, then, lies in exploiting context for mobile security. Mobility affords significant contextual insight that can be employed for tailoring the security posture for each mobile interaction. Think of your own daily mobile activities. The uniqueness of each interaction is a function of your location, the networks you employ, the time of day and even the state of your device - along with potentially many other contextual attributes. The systems that support these activities can employ these contextual attributes to assess relative risk and modulate the security procedures or application behaviour to more effectively balance security with user experience. For example, when a transaction is performed in a context of elevated risk, the solution may employ multifactor authentication. Or, if the risk is above a certain policy-based threshold, certain capabilities may be disabled. Additionally, the context gives these systems the ability to barter security value when some inconveniene is unavoidable, providing an opportunity to possibly educate the user on security best practices, or at a minimum, alert the user to the risk.

Enough about the concept, let's make this tangible with real scenarios. A research study by Ovum revealed that mobile access to electronic health records (EHRs) is the most prevalent mobile health application - with more than 50 percent of health care organisations having already installed this functionality. If a health care institution wants to differentiate based on quality of care by giving its doctors and nurses mobile access to patient records, then it would have to do it responsibly while also simplifying the experience. The health care institution can take contextual attributes into consideration to enhance security - so only users within a certain distance from the hospital can access patient records (given that doctors and nurses will be in near proximity), or only users who are on-duty are allowed access, and other similar policies. Context-based security adaptation need not only be employed for access policy governance. Anyone who has used a mobile banking app realises that to simply access baances the app can use stored credentials. However, if requests are made for the account number or money transfers, then the user is prompted for additional identify information.

Looking ahead, we will witness the use of context to further enhance the security of mobile engagement. Analysis of historical transactions can help detect anomalous behaviour in real-time, which may be a sign of fraud or malicious activity. We are creatures of habit, so a major deviation in the period of access, or irregular time of access, could be indicators to prompt greater security measures. Context can also be used to optimise the performance of security protocols. For example, secure network connections can be torn down when the mobile user diverts attention to another application. This has the benefit of not only conserving battery power, but also preventing a malicious third party attempting to break into an open communication session.

So is your organisation beginning to look beyond the device when charting out a holistic mobile security strategy? It might just be time to put your users' context to work for you and deliver an adaptive security posture that builds trust while delivering excellence in user experience.

Vijay Dheap is an IBM master inventor and currently leads mobile security strategy and Big Data security intelligence solutions for IBM.



League table Go-Ahead

In a special one-off case study linking our themes of PCI compliance and security spend, Random Storm technical director and co-founder Andrew Mason describes to SC a case study that tackles both issues with the aid of league tables.

Go-Ahead transports more than a billion passengers on its trains and buses each year, including 1,800 London buses and some 30 percent of UK rail journeys.

David Lynch, group technology and procurement director at Go-Ahead, along with his team of 50 IT specialists, is responsible for technology investments across the organisation with a variety of solutions provided. The challenge is to ensure that his information security budget is well invested. “Organisations spend a lot on business continuity and security. I need to prove that I am spending the company budget wisely,” says Lynch.

As a level 1 merchant of travel tickets, often bought online with credit cards, Go-Ahead has to comply with the Payment Card Industry Data Security Standards (PCI DSS), including the new 3.0 terms, and has to have regularly scheduled audits with a PCI qualified security assessor (QSA).

Lynch spoke to RandomStorm, a PCI QSA, about how he could ensure that the security detection and protection products he deployed were being used to their full potential.

Combining requirements for ongoing monitoring of the enterprise security status with Lynch's love of football,
RandomStorm designed a Security League Table demonstrating the comparative performance of different areas of Go-Ahead's IT estate.

“One of the issues regularly cited by QSAs is that they go in and run a penetration test for a merchant and produce a report highlighting the vulnerabilities on merchant networks,” explains Robin Hill, co-founder of RandomStorm. “Then they go back six or 12 months later and nothing has been done to fix those earlier vulnerabilities.”

The RandomStorm Management Platform of security monitoring products, including iStorm, was used to develop a Security League Table enabling Lynch to quickly review where vulnerabilities have been identified, which assets are affected and what remedial action is required. Where a highlighted vulnerability has not yet been addressed, such as a misconfigured device or required patch, this will be marked down, pushing that IT domain lower in the League Table.

The League Table is regularly updated with details of the active security issues, and work schedules are generated to address the vulnerabilities highlighted. It also measures ongoing security in-between scheduled audits. “I am amazed that no one else is doing this,” says Lynch. “The League Table identifies where vulnerabilities highlighted by the scans have not yet been repaired and provides IT managers with a schedule of work during the month.”

He cites the protection of the network, prevention of breaches, avoidance of fines and protection of corporate reputation as the key drivers for initiating the Security League Table. The changing nature of attacks means an IT team could be at the top of the league one week and at the bottom the next, explains Lynch.

Another benefit is creating a dialogue between IT staff and non-technical business managers at Go-Ahead to demonstrate where IT is adding value to the business: “The League Table gives the IT teams an opportunity to explain what has happened on the network, what caused it, what it means to the business and what they are going to do about it. IT staff mark why they are bottom of the league and what they are going to do to fix highlighted vulnerabilities,” Lynch says. He adds that IT staff constantly monitor the network perimeter and IP addresses to react to any unauthorised activity.

“I'd rather know about an issue and get people to work on repairing a security hole,” Lynch says. “I am not a great fan of putting a tick in the security compliance box, unless I am certain that I am actually complying. We have to know that we are getting value out of it, and we are.”



Of cryptography and conspiracy stories

Encryption integrity is called into question following NSA leaks, says Alan Kessler, CEO of Vormetric

Since the New York Times ran a story discussing ‘DUAL_EC_DRBG' - a random number generator -controversy surrounding this algorithm has grown. NIST has advised that it not be used, while RSA warned its customers not to use it in its cryptographic library - even though it was the default algorithm.

Of the many things Edward Snowden revealed as part of his ongoing NSA exposé, evidence suggesting that DUAL_EC_DRBG contains a back door has probably had the most immediate impact on the cryptographic community. The biggest casualty has been trust - and when trust in institutions is lacking, conspiracy theories rise to take its place. With that in mind, let's take a look at the subject with our tinfoil hats on.

Random number generators are important because they are used to create cryptographic keys. One of the problems with computers from a random number generator point of view is that they are designed to be predictable, logical machines that will always give you the same answer when you ask the same question - exactly the opposite property that you want in a random number generator. 

To compensate, “pseudo random number generators” (PRNGs) were invented. PRNGs are given a “seed” value, and from then on will create a stream of numbers that appear random, but are all based on that seed number. Beyond making random-looking numbers, a good PRNG is resistant to guesses about previous and future output. The new tinfoil-hat-wearing me sees a reliable source of random numbers as crucial to the security of a system - and a brilliant place to put a back door.

In 2006, NIST published Special Publication 800-90, “Recommendation for Random Number Generation Using Deterministic Random Bit Generators”. NIST publications are taken seriously by the cryptographic community as they contain industry best practices, vetted and mature algorithms, and frequently come to be required by government certifications, like FIPS 140-2. As such, security researchers and makers of security products pay close attention to them. The twist here is that the NSA authored SP 800-90, and it describes four different types of DRBG. Two of them are based on hash functions, one is based on encryption and one is based on a “number theoretic problem”. The latter is DUAL_EC_DRBG.Why four algorithms? 

The document states “in the event that new attacks are found on a particular class of DRBG mechanisms, a diversity of approved mechanisms will allow a timely transition to a different class of DRBG mechanism”.  In other words, have several algorithms ready to choose from in case one is broken. This makes complete sense, and the old me would unquestioningly agree with this statement. However, it wasn't long before it was noticed that DUAL_EC_DRBG wasn't quite right. It was slow in comparison to the others, and it had some obvious security flaws. In 2007, Microsoft showed that there were “magic numbers” that would allow it to be broken open, a “skeleton key”, such as we discussed earlier.

Even with this evidence, NIST kept DUAL-EC-DRBG as part of SP 800-90. So was NIST duped by the NSA or was it in league with the NSA? Many prominent security researchers warned against its use, but since it was part of the standard it was implemented far and wide. Moreover, it wasn't long before it was noticed that RSA's “BSAFE” cryptographic library used the algorithm by default. At this point, with all of the evidence pointing one direction, it's time to draw uncomfortable conclusions regarding anyone involved in implementing DUAL_EC_DRBG.



Safe Passage

The latest PCI update offers improvements to ensure security in online transactions, says Tim Lansdale, head of payment security, WorldPay. Tony Morbin reports.

After January 1, 2015, companies involved in accepting online payment by credit card will need all PCI audits to be completed against the new compliance criteria issued by the Payment Card Industry Security Standards Council (PCI SSC): PCI DSS 3.0 - the latest, triannual update that enforces best security practice in credit card payments.

The five big credit card companies - Visa, MasterCard, American Express, JCB and Discover - joined forces in 2006 to create a unified security system so that a common set of compliance rules was applied across all the schemes. In practice the rules put a lot of the onus on the merchants and service providers to ensure their systems are secure, that any outsourced third parties such as data processors also comply with the system, as well as any new technologies introduced. For large ‘Tier one' enterprises, close involvement in the development of the standards has resulted in general satisfaction with the changes. Similarly, the banks that act as ‘merchant acquirers' - ensuring the money from a cardholder's account ends up in the account of the merchant selling the goods or service - are supportive of the tighter regulations. However, challenges remain: Some smaller merchants may face more of a challenge and mobile payments are not specifically covered by the new regulations.

SC Magazine UK spoke to several of the interested parties to get their perspective on the changes, and the actual or likely consequences of implementation, including the PCI SSC itself; a leading merchant acquirer, WorldPay; a major merchant, BT (formerly British Telecom); as well as an informed player in the vendor community, Trustwave.

First, SC asked Tim Lansdale, head of payment security at WorldPay, an acquirer seeking to ensure that its merchants comply with the PCI regulations, what he believes are the most important changes in 3.0 and how they will affect merchants.

 “In terms of security, it's probably the unique authentication credentials required for each customer, as this accounts for nearly 10 percent of data breaches,” Lansdale says. “We saw a 500 percent increase in third-party breaches between 2010 and 2012, so making that more secure is very important.”

The most important change in terms of cost or disruption? “The requirement to improve capture of card data could be expensive for a large retail network,” he says. “For others, it could be implementation of the pass phrase - longer password - which for some could require a system upgrade.”

Implementing 3.0 will be easier for some merchants than others, with most of the difficulties at the point of interacting with the end consumer, he says. “Each merchant and payment environment needs to be considered separately. For example, the new requirement to evaluate malware threats will particularly affect those using Linux systems, as it's not a community generally affected by malware from a merchant's perspective. Therefore, they have not previously looked at this issue, but will need to do so now.”

Jeremy King, European director for the PCI SSC, explained background to the update and its timing. “PCI operates as a community, reaching out to everyone - the merchants, the vendors, the providers - and asks, ‘What's good, what's bad?' What came back was that every two years was not long enough to get fully through the update before it was changed, so in 2010 we went to three years for the update. But we don't take the old one out until a year after the new one has been around, so you have a full four years. But if you are ready, you can implement immediately.”

The council responded to both changes and challenges identified by its community of users, and those of forensic investigators who look into the breaches, and then drew up its updates aiming for steady progression without major changes. The chief problem identified was passwords, with default passwords especially causing a lot of problems, allowing criminals to get into people's systems too easily. The UK government and analyst firm PwC had identified a direct correlation between training staff and seeing a reduced likelihood of being breached and this too was considered.

 “We have modified our standards to look at a few key areas,” King says. First, training. This involves training everyone who is involved in the process, from sales assistants through to top-level management. All have to understand what data security is all about. “Get this into people's mindsets and make it ‘business as usual', so that with everything you do, you think about security.”

Secondly, more flexibility is required, with passwords being a classic example. “We used to say you had to have seven alphanumeric characters, and for the past two years Trustwave reported that the most popular password in the world is ‘Password1' - which meets the requirements, but is not the best password,” King says. “Nowadays, there is more of a shift towards pass phrases - putting words together with some alphanumerics - something memorable so you don't have to write it down.” This is significantly stronger and begins to allow people to improve their security, he says. “Then train staff to update it and get it to ‘business as usual'.”

This move is welcomed by WorldPay's Landsdale, though he notes it is not without its difficulties. “Reconfiguring their password approach and complexity is the biggest issue for many merchants,” he says. While he says it's a positive move that consumers can now use password phrases, for many merchants this will require reconfiguration of their systems, and this might prove complex for some. Overall, though, he says that as the memorable phrase can now be quite long, it's an easier way of getting stronger passwords, so it's a sensible move.

Further, there is now a greater emphasis on the capture of data and the use of and response to that data when anomalies occur, with clear identification of responsibilities when using outsourced suppliers. King notes that investigators have found that almost 70 percent of breaches are directly related to poorly installed software. Most merchants don't develop software themselves, they buy it in. If it is poorly installed - e.g., if the default password hasn't been changed or the installers have switched off the firewalls to install their software and forgotten to switch it back on - then the merchant doesn't know that it is open to attack.

 “In all the changes, people will remain the most important element,” says Lansdale. “There are old systems and technologies that work with the minimum of problems because they are well run, whereas there are new systems and technologies which have been poorly implemented and run, and these have problems. Technology is only a tool and it has to be used appropriately.”

One of the initiatives that the PCI SSC launched last year and is still driving forward is its programme aimed at QIR- qualified integrators and resellers - which is training for installers, integrators and resellers of software to make certain they have a secure process in place. The point is to allow them to go to merchants and do a much more secure job of installing software.

Highlighting anomalies

“We also find that criminals break into the systems too easily,” says King. “They can be in the system a long time - 180 to 200 days - before they are found, and you don't find them, someone else does, and you'll be told that you are the cause of the problem. So we are also trying to improve the standard around logging. The problem is that the systems will be logging things every minute of every hour, so it's important to understand how to get the anomalies highlighted from the day-to-day activities.”

Response is the key word in log maintenance, Lansdale agrees. “If you see anything untoward, you need to respond and deal with it. Previously, there was a need to create log files, but they weren't always monitored. Now if you detect changes, you must have a system in place to respond to it. It's a move away from box-ticking to best practice as ‘business as usual'”.

This monitoring extends to information managed by service providers that is, in turn, being monitored by merchants. It's primarily keeping on top of the paperwork and making sure that merchants focus on what they are responsible for. They will need to realise that even if they outsource, they still have residual responsibilities. This requirement draws attention to what they are, as outsourced payments still need to be compliant and the merchant will need to not only ensure that its provider remains compliant, but keep a check on them.

The requirement for service providers to explicitly identify, agree to their responsibility and inform their suppliers means that they won't want to send out such notifications, says Lansdale. “We expect this requirement to be the one that they object to most. If there is a data breach, they will be required to remediate this, and they may not want to say so beforehand - even if it was already understood to be the case.”

However, the call for more detailed data flow diagrams is unequivocally welcomed as previously many people would use network diagrams which could be complicated and confusing. “It's easier to perform scoping if you look at the data flow,” says Lansdale. “The data flow is also harder to get wrong, whereas the network can be open to interpretation. As an acquirer, this is a big tick box. You can quickly identify which network components you need to be investigating. It's a more intuitive thing than a network.”

For example, he says that in a large level one ecommerce site, a data-flow diagram might show multiple access by all three channels - online, mail order and telephone order - and where these were shared on the network. This is inherently vulnerable, he asserts, as a compromise in one area would then require the closure of all three, and the most complicated channel will decide how long the system is down. Whereas if all three channels are separate, then if one is out of compliance, it does not affect the other two while it is being brought back up to compliance.

The world's oldest telecommunications company, London-based BT, has a different perspective. While it is a merchant that needs to ensure that its range of services are PCI compliant (with 15 different platforms, mostly operating at a tier one level), it is also a QSA, checking the compliance of others, in addition to being a provider of security services. Sarah Nicholson, security, policy and compliance at BT, told SC: “As we are a QSA ourselves, we are able to get good hard advice and guidance internally to ensure that we remain compliant, and link that advice into how we design our service.” As a merchant, the company needs to be assessed by an external QSA who will report on our compliance, and we will be meeting in early December to discuss BT's transition to the new PCI DSS standard, she adds.

“The new standard has been cascaded across BT, and we will learn from each of our platforms how they think the changes will impact on our activities,” Nicholson says. Some of the issues she expects to be platform-specific, and others to relate to BT central operations, and she and her team will work through with the QSA what they mean for BT. “Our range of platforms means looking in-depth and conducting monthly and quarterly meetings as new services, infrastructures or functionality is added, and conducting GAP analyses each time there is a change to ensure that they are brought on stream in a compliant way.” One such example of increasing functionality over the past year she points to is the company's donation infrastructure for its BBC Children in Need charity.

Candice Pressinger, head of group PCI-DSS compliance at BT, adds: “It is built into our contracts [with suppliers] and we will factor in compliance. There is segmentation of platforms so each is independently compliant with quality assurance by each of the CFOs responsible for their own system.”

For Lansdale, this transition period was seen as an area where further improvement would be welcomed. “I would like to see more low maintenance compliance,” he says. “You get an audit and you are compliant, valid for a year. But you may be subject to merger, acquisition, introduction of multi-channel payments, and it's difficult to roll out the changes while staying compliant. PCI falls short of advice on compliance during expansion.” Temporarily being out of compliance in such circumstances should not be seen as being in breach and some leeway should be given during change-over periods, he says.

For BT, the transition period did not seem too arduous.  “We will be cascading implementation of 3.0 throughout 2014 across each of our 15 platforms, reviewing our understanding of compliance issues during the changeover,” says Pressinger. “We have started the planning stage now, with implementation scheduled from mid-2014, once we have completed our impact assessment.”

Regarding third party responsibilities, Pressinger commented: “For any new part of a programme, we will look at the whole payment journey and see where BT is liable as a merchant,” says Pressinger. The company, she says, has robust procedures in place so is confident it already meets the requirements of the new rules in this regard. “Any time that we engage a third party this is clearly a requirement, and this assures us that the requisite assurances are requested and expected from our suppliers,” she says.

Meanwhile, BT's Nicholson explains that in 2012, when PCI compliance members were invited to suggest topics for the Council to set up specialist interest groups, among those topics selected was one suggested by BT. As a result, it is now involved in two sets of specialist interest groups, QSA and other interested parties, which have run throughout 2013 and into 2014.

“A third party ‘best practice' paper is to be issued between January and March 2014, and we will be very interested in the recommendations, some of which will already be in 3.0,” Nicholson explained. “We would then compare to see where we can make further improvements - if any.” It really is beneficial to all who are a party to this, she added.

Appropriate training

Additionally, King of the PCI SSC emphasises the requirement for appropriate training, reiterating how it is people, along with the process and technology that enables security. As an example, he recounts how the PCI SSC has evolved some of its requirements to counter recent attacks on POC terminals where criminals pretending to be service engineers installed compromised terminals - or simply mailed a new ‘updated' terminal with instructions to install it and return the old one back to them - all looking quite official. A small merchant wouldn't necessarily know anything was wrong.

“We have had to put in additional training to ensure staff understand what their terminal looks like, take a picture, see what colour wires are going in and out,” says King. “The challenges are different between big and small merchants. We used to see the criminals going for the big merchants - and they still do - but the big merchants have got much better and mostly don't store the cardholder data and have better data security. And the criminals have seen where the weakness is. The problems are often smaller merchants going online and walking into a minefield. The challenge is to get standards and support in language that [these smaller merchants] understand - which is an ongoing action for us - for 2014 and beyond.”

For smaller merchants with self-assessment, simple language is needed as the PCI regulations are viewed as too technical for most merchants, creating a barrier to compliance. If it's too difficult, it gets put in the back of the draw, Lansdale says. “The previous change in documentation format - from v1 to v2 - was impenetrable. This v3 is much better. The introduction of a third column, which offers guidance, describes the context and the intent behind each rule, so it's not just an instruction. This is really useful when you are implementing a change.” When the guide notes were in a separate document no one read them, he adds. “Now they are easier to access, read and implement.”

King agrees that the old documents used to ‘bamboozle' people, whereas now, “Next to every requirement, we say, ‘this is what we mean.' Merchants are happy as they have someone to get them ready before the QSA visits. And, QSAs are happy as they have someone who understands all the questions that they ask, speaking the same language, so the time taken is reduced, efficiency has gone up and merchants are better prepared,” King says.

For the larger merchants, such as BT, the problems were always fewer. “There will be implications for running costs of implementing the recommendations, including equipment and training, but we well understand these, have budgeted for them, and have factored this into our plans,” says Nicholson. Satisfaction with v3 and the card schemes may be a size or cost issue, but she says her company has a good working relationship with the PCI SSC and with Visa. They are willing to debate and discuss issues, she says. “PCI is here and has had a positive effect. The new version strengthens corporate governance and is very important to ensure that brand integrity is upheld. It ensures we have the most rigorous standards and our customers know that we are very safe. So, from a brand perspective, regulation underpins that claim.” 

Plus...Mobile remains a challenge

Talking to SC after the introduction of PCI DSS 3.0, Michael Aminzade, director of compliance delivery for EMEA and APAC at Trustwave, comments: “3.0 has done a lot of good things, but it does not specifically cover mobile payment solutions: apps, development practices and working within the mobile ecosystem generally. It's an environment that is not in the service provider's control - often not using their hardware and on an operating system that has not been established in the same way with the same control systems as more mature technology. There are tens of thousands of developers working on applications - people you will never see - and you may write a specific application for your own service, which will run alongside these apps that may have been insecurely developed, or with vulnerabilities, and you are requesting personal payment details through this platform, which may be jail-broken.”

It's a criticism which the PCI acknowledges. “What you won't find in v3 is requirements specific to mobile payments,” says Jeremy King, European director, PCI SSC. “That's because for us, PCI DSS is the over-arching standard, so using mobile has to conform to PCI DSS. Behind that is a whole new raft of challenges that we, and everyone, faces - whether to make payments, to accept payments or generally engage in mobile commerce.” What PCI has done is to reach out to its community, he says, linking up with the GSMA association (a group of mobile operators), as well as entering discussions with Google, Apple and others to ask how to make these things secure. That's the challenge,” he admits, “because fundamentally it isn't secure.”

Aminzade agrees, as he points out there has been a 400 percent increase in mobile malware seeking to capture personal payment information. “Cyber criminals are now focussing on this,” he says. For its part, Trustwave has identified six criminal syndicates with a sophisticated criminal strategy of knowing which platforms to attack. “In contrast, staff training on point of sale (POS) device tampering is not mandated until 1 July 2015, and use of iPads as POS devices makes it easier for criminals to perform swaps as they can just buy them rather than needing to steal/duplicate PoS devices.” Trustwave has found that companies have been transferring apps that worked on fixed POS devices and just assumed they would work equally well on mobile devices. But, the data is easier to access and authentication easier to bypass. In fact, some companies use staff numbers or four-digit codes for access with no extra authentication, making it easy to crack and access back-office information, raising a raft of potetial issues.

As a result Aminzade says there are two areas that he believes need to be included in any 3.0 update: It should cover mobile platforms; risk assessment should be built out more, including an agreed-upon industry standard; implemented by a qualified person; and with reporting to a person with specific responsibility for this area.

The conclusion is that mobile device management solutions are currently not mature enough and there is a lack of people with the right skill-set as they move from Windows environments to the range of mobile operating systems, each with their own strengths and weaknesses. The administrator then has to choose between achieving the required speed to market or implementation of a full security programme.

King says that the PCI DSS, which sets up task forces where it needs specific technical advice, has had a task force on mobile running for more than a year, which is a long time for the organisation “because the challenges of trying to secure cardholder data on mobiles is difficult and malware on Androids products is a huge problem. Essentially, 3.0 says you must protect the cardholder throughout the transaction process, if you are using x, it must meet that requirement, and that's a challenge.”