Name and shame bad security vendors, not customers, says Simplexo CTO

'Best practice' used as excuse for poor performance and needs revamp, says Simon Bain

High-profile businesses are being unfairly criticised for poor security when the real blame lies with their security solutions providers, according to the founder and CTO of search engine tech firm Simplexo.

"Over the last two to four years we've had countless failures," Simon Bain told Computing. "Global Payments earlier this year reported 1.8 million credit card [details taken], LinkedIn [had 6.5 million user details stolen], the list just goes on and on.

"Errors do occur, of course, and nobody's infallible. But in most cases, when I talk to organisations they say ‘Well, we used industry best practice, so it's OK'."

It was the late August 2012 ICO investigation of Tesco that, says Bain, made matters "come to a head".

"They're greengrocers - what do you know about IT security?" said Bain. "Why should they be slagged off in the press for having old security systems, when they spend many, many millions of pounds on people who should know better; consultants and organisations who come in and do their web services and banking services for them, all of which purport to be best practice just to excuse them?"

Bain questioned the nature of best practice at a basic level. "What is it? Who actually defines what it is? Who's checking it to make sure it still is best practice.

"It just struck me that people are using this to save themselves, while actually you and I the users are the ones getting our credit cards lost, or details stolen, and ultimately end up paying for it, rather than the organisation who put it in in the first place. That cannot be correct."

Name and shame bad security vendors, not customers, says Simplexo CTO

'Best practice' used as excuse for poor performance and needs revamp, says Simon Bain

Bain said that he believed best practice had "deviated" from its original intentions, and was now only "best practice for vendor shareholders and bank balance, but certainly not customers. Who in their right mind would leave unencrypted credit cards on their databases? I could give you three or four companies who do exactly that, and whose suppliers told them ‘That's OK, because nobody can get in'."

The solution, said Bain, is for the industry to "sit down, slap itself around the head and say ‘Hold on a minute, let's look at this properly'."

"Let's not just sit back and say ‘This is the way it's been done for years, and it's right'; let's actually start looking at what's happening out there, what the new threats are, and how we can cover them."

Bain told Computing how most of the customer security threats he'd looked at in the past 18-24 months were "internal, from the network - not across the internet from people sitting in darkened rooms drinking coffee and sucking their thumb. They're people sitting in the datacentre as either employees or contractors, and who have stolen the data directly."

Bain said businesses that fall victim to cyber threats should be able to claim compensation from their security suppliers.

"Maybe it's time for the likes of Global Payments, Sony or Tesco to put clauses into their contracts that state: ‘If we have a security breach, we should claw back some of the money or, at the very least, we can name and shame you to our customers, as our supplier'. Because at the moment the only names I hear are Global Payments, Sony or Visa. I don't hear the names of the people who actually put the solutions in place.

"Best practice should be a starting point, not an end point for projects," concluded Bain. "Using such a philosophy in the private - or public - sector would be a very positive move."