Businesses that fail to keep private data secure could be in trouble as the Information Commissioner's Office extends its beady eye beyond breaches in the public sector. Bean counters at Syscap pointed out that with the ICO issuing more warning notices and ramping up its fines, small businesses in particular could be at risk as …
This has left some old or redundant systems open to data lapses," claimed White.
Something about this doesn't quite ring true. It should be possible to (at least try to) ensure data is secure without needing to upgrade the equipment. Encryption etc can be done for free (although businesses do tend to want key management systems etc). At the end of the day, if you've got a Windows 2000 machine that can't be upgraded (because you can't afford it, and there are no longer updates coming through) the answer is quite simple: don't use that machine for customer data.
Things are tight for small businesses, and due to their size they won't always include someone who knows what needs to be done (leading to extra cost as you need to hire someone in), but customers are essential to the business. Risking their data is not a good long-term business plan, in any sense, and businesses need to become more aware of this, blaming it on old hardware just doesn't cut it IMHO.
"Something doesn't quite ring true..."
I quite agree.
The problem is not about so much about the old systems as what small businesses do with them. I would add that the biggest risk for a small business is probably that they just don't realise how data protection applies to them. Consequently they won't organise and control the data as well as they should, nor educate their own staff as well as they need to.
Upgrading to the latest super-dooper kit isn't going to help there.
Your being single minded
Data protection is not only about encryption - If your going to leave the Window open, there is no point in locking the door.
There are other facets as well, such as IPS, Traffic Analysing, User Access Control, Archiving - these go hand in hand with Encryption, and to do these reliably you need some pretty expensive tools (or pay somebody a lot of money to set up very complex open source tools, then hire a department of administrators to run them),
Before you ask if these are needed - yes any SME heavily reliant on IT should have these... Especially if you work in a heavily regulated industry like myself (who has the FSA, OFT, ASA and DPC each trying to chuck ever changing regulations at us).
There is more to come, sorry..
I expect we will publish in 1 or 2 weeks the result of a study that shows that some IT measures especially SMEs take to minimise costs result in even more Data Protection violations, and grave ones at that.
At the moment it's a toss up who will get it first, Outlaw or El Reg - probably both at the same time.