After Sony, Governments Must Protect Citizens
Sony’s lack of attention to security raises an argument for governments to set minimum standards like the PCI-DSS rules, says Eric Doyle
Sony’s networking misfortunes are starting to raise wider questions about corporate responsibility. What penalties will Sony face?
The answer is: probably not enough. It has lost an estimated $2 billion off its share price but will be hit further, and possibly harder, by self-incurred expenses in cleaning up the mess, and its reputation will be tarnished for a while.
Dark clouds are gathering, especially in Germany, that hint at large fines for data breaches but Sony is a massive multinational and will probably roll with the blows.
Who gets the money raised for damages? Sony only knows who may have been damaged by personal details being leaked but has no idea which, if any, of its customers could be financially damaged.
Time For A Game-Changer
There is also the mocking laughter of Microsoft and Nintendo as they “Pacman” themselves around the games market, chomping on the power pills that Sony hoped would revive its games console market.
All this hurts Sony’s pocket and its pride but it does nothing for the long-term benefits of the myriad of punters on the Internet. It’s time to press Escape and change the game.
It is galling to find that Sony may get away with what is being viewed as technical incompetence, certainly by the millions of faithful customers it has put in the path of spamming and phishing scams, plus the feelings of financial insecurity due to Sony’s apparent lack of knowledge whether credit card information was or was not exposed.
Government bodies are now waking up to the fact that Internet commerce is a bigger threat to their citizens than they had thought and that maybe something should be done – and fines do not act as a deterrent.
The coalition government is fond of talking about public/private sector alliances and how the world of business has a lot to teach local and national government departments. It is also launching itself wholesale onto the Internet. If the world is going to be run across the Web, something has to be done to secure the people who are being forced into revealing their personal, private details over the wires.
We’ve All Been Here Before
If a companies like Sony, RSA Security and Epsilon can get it wrong, laws with heavy financial penalties should be put in place to ensure that, at least, minimum levels of security are employed. Just a minute, though, why does that sound so familiar?
The payment card industry (PCI) realised there was a threat to its customers before 2004 when a number of its constituent members decided to band together and form the PCI-DSS (Data Security Standard) and set minimum standards for security. The move was heavily criticised at the time but research has shown that PCI-DSS compliant companies suffer far fewer breaches than those who chose to avoid the DSS and offset the responsibility to centralised, third-party payment clearance companies.
The actions of the card issuers appear to have improved payment card security, though Sony insists it was compliant but has still lost some credit card details. DSS, it seems, has not secured the databases storing millions, possibly billions, of names, home and email addresses that are held by firms dealing on the Web.
It has taken a series of major breaches and seven years for governments to reach the same conclusion as the payment card issuers – so much for learning from the private sector.
Admittedly for the government to impose minimum security standards will not help hard-pressed companies in the current financial climate in the short term but, as the Sony and Epsilon breaches will show, it could save them, and their customers, from harm in the long term.
Governance Of The People, For The People
Much has been said and done in the past about corporate governance but the security issue has been avoided. So much legislation has dealt with how businesses do business with other businesses with scant mention of customers. Yet the major stakeholders in the commercial world are the legions of customers, the men and women on the proverbial London omnibus, who lack the power to force companies to deal fairly with them.
Many of these average Joes and Josephines volunteer their details in blissfull ignorace of security implications, to gain rewards, or by being cajoled and bullied into giving up their personal information to secure warranty promises and guarantees. If, as the government insists, we are entering a world of cyber warfare, the country should ensure that its ordinary citizens are protected. A Home Guard of cyber defences to protect everyone if the invaders break through the bulkhead defences.
America is waking up to the reality. The EU is starting to stir and its about time the UK government took a good look inwards, rather than outwards, at the dangers that are starting to hit its electorate. Companies should at least be required by law to have firewalls, anti-malware and encrypted customer databases.
Such measures will not protect them from insecure databases held abroad but every revolution starts with a skirmish and Britain and the other commercially developed countries should set the example for the world to follow.