The Marathon team have been keeping a close eye on the fines levied by the Information Commissioners Office (ICO). Are these rulings having a bearing on how customers approach their investment in Security in 2020, and what does this mean for the resellers that support them?
This week, we put your questions to our Cyber Security and GDPR services lead, Peter Speck. As a founder of Marathon and the Sales Director for the company, Peter has worked in IT for more than 30 years in Projects, Technical and Security senior management roles. Having helped grow a number of VARs in that time, Peter, is closer than many to the issues being faced and he highlighted some interesting new developments.
Peter, many resellers will feel that the PCI Data Security Standard has quite a high adoption rate amongst customers. Are you surprised by the fact that some of these ICO fines still relate to breaches involving Credit Card data?
PS: The short answer is no, not really. The PCI Standard is mandated by the card vendors but driven by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud and is designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment – although it doesn’t guarantee data protection.
Although PCI DSS has been in effect for over 10 years now, and most customers are achieving compliance, some of the world’s largest businesses have still been hit by data breaches. These fines from the ICO, highlight companies failing to patch systems regularly, a lack of audit and control over who has access to cardholder data and even basic protection controls, such as checks to stop third party vendor remote access after authorised use.
We regularly get involved with PCI projects where the customer is uncertain or misunderstands their merchant level- the tier of requirements which define what steps the business needs to take in order to comply with the standard. This can be a good starting point for resellers to get involved as customers experiencing strong growth, or those acquiring competitors, could change levels without the appropriate level of protection in place (and lose PCI compliance status at the same time).
We keep hearing that it’s important for customers to get the basics right. Has the business landscape changed in terms of IT services and support?
PS: Yes definitely, having reactive support is no longer enough and will not adequately protect customers from the threat of cyber attacks or security breaches, with the potential fines and commercial damage this causes. The Managed Services team here at Marathon see evidence of this all the time- Each and every day, they are responding to threat intelligence from customer systems and a whole range of preventative measures ensure that monitored systems are secured and threats mitigated. In fact, the only time we see security incidents is from systems where clients haven’t moved to a managed services model and still rely on a reactive support strategy.
Some of our customers have such a significant drop in security incidents that they begin to question if they still need the service – until we show them the daily threat alerts and reports!
Businesses have to be able to share data in order to operate successfully, so at a wider level, these fines point towards customers increasing the level of control they have over the information they process. This extends to both clients and suppliers taking more ownership of data sharing structures and the security that goes around it.
The NCSC continue to voice concerns about a lack of security controls within the small business community. What can be done, and is there an opportunity for resellers to do more to support this sector of the market?
PS: It’s not just the NCSC. We’ve seen more and more activity to promote security to smaller businesses across other government departments and the Police. This has resulted in some interesting initiatives that the reseller community should be aware of.
One example is a new scheme being instigated by the Police Digital Security Centre and accredited by the British Standards Institute. ‘Certified Digital Security Providers’ will become a point of reference for Police Cybercrime units, attached to each force across the UK, to drive best practice and assist in Cybercrime for small businesses. I’m pleased to announce that Marathon have become the first Cyber Security company in the UK to become a certified provider under the scheme.
The bottom line is that budget remains a major factor for small businesses. With the ICO beefing up their resources, I expect to see more programmes to get these organisations better protected and resellers should be using these as part of their overall sales strategy.
In the Public sector we are currently seeing resellers bidding to be a part of the new Cyber Security Services 3 Dynamic Purchasing System (DPS). The DPS Marketplace provides access to all procurements run by the Crown Commercial Service. Where previously, public sector organisations needed to select a CREST or NCSC accredited supplier, Cyber 3 now offers a route for resellers with other industry accreditations, to be chosen.
Do you have any questions for Peter? Call us on 020 8329 1000 or email firstname.lastname@example.org to book a meeting or set up a call to discuss. We can give you specific guidance on your questions and help position our ICO analysis, with your customer at your next meeting.