Is Your Online Provider's Security Good Enough?

Hardly a week goes by without reports of another online service being hacked and data being stolen or passwords being accessed, unfortuntately this is just something we are going to have to deal with as we consume more and more of the services we want online. That doesn't mean however that we should just accept this situation - online service providers should always ensure that they use the highest security standards and procedures to protect their customer's information.

All UK companies who process personal information are required by law to comply with the Data Protection Act of 1998 and the seventh of the eight principles contained in this act states that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

The best companies take the security of their client's data extrememly seriously and spend a great deal of time and money implementing technical and organisational measures to protect their systems from attack. You don't however just have to take their word for it, there are a number of ways you can acertain how secure your data is when using an online service:

1. SSL Certificate - most of us will be familiar with the fact that for secure websites you should see a little padlock in your browser which tells you that the site is secure. Unfortunately this is a vast over-simplification, just because you see a padlock does not mean the site is secure. There are numerous types of SSL certificate some of which are old and not secure at all, also the web server configuation needs to be correct otherwise methods well known to hackers can be easily used to access your data. How can you check that everything is configured as it should be? Easy - go to https://www.ssllabs.com/ssltest and enter the URL of your service provider. The test takes a couple of minutes to run and gives your provider a security rating from A to F. If they don't get an A then they are doing something wrong.

2. ISO27001 - this is "a specification for an information security management system", in other words it tells a company how to create a set of policies, checks, controls and logs that can be used to ensure that best practices are used to protect confidential information. If a company receives offical certification to the ISO27001 standard then you know you can trust them with your data. Unfortunately there is no central list of companies who have been certified however they should be displaying the certification logo on their website and should be happy to send you a copy of their certificate.

Does your current online service provider get top marks? If they don't get an A or don't have ISO27001 should you really be trusting them with your data?

Richard Knaggs

Head of IT & Information Security

www.hellomarket.co.uk