Five minutes with Lord Erroll

We talk to Lord Erroll to get the scoop on online security issues facing entrepreneurs today

Hannah Prevett

Free guides

Editor's Choice

A programmer and system designer by trade, Lord Erroll knows a thing or two about technology. Today, Merlin, the Earl of Erroll, is the spokesman for the House of Lord’s Science and Technology Select Committee’s report on personal internet security. Here he briefs GB on the security issues that should be keeping you awake at night.

Growing Business: Small businesses have very different security requirement to those of larger enterprises. What do you think the biggest threats are in terms of internet security for small and medium sized businesses?

Lord Erroll: It depends. On the compliance side, if you’re a small business and you’re taking credit card details over the internet and something goes wrong, you end up liable for that transaction. This could hit your business quite hard.

Also, phishing is something that worries me hugely. This very much applies to large businesses because they’re the people who the phishing attacks are against at the moment. I think it’s harder for small businesses to think about this. But it may be worth - particularly if they are involved in high value transactions - having some way of authenticating themselves so the customer knows they’re on the right website.

I don’t think small businesses are going to be as vulnerable to that kind of attack as the perpetrators will be more interested in large businesses. But cybercrime attacks may spread out a little. You find that the large businesses have hardened themselves so they’ll start attacking the next scale of business down.

GB: By now we all know that technology only forms part of the solution and that raising awareness plays a crucial part. Whose responsibility is it to educate users?

LE: It’s everybody’s responsibility. You can’t force people to be educated if they don’t want to be and they are not interested. But the education’s got to be relevant to the customer’s awareness of the problem at the time. Sometimes it’s a good idea for governments to have some initiatives out there and to start introducing things at an early stage, in schools for example. Get Safe Online is a good initiative which is already out there and I think the government is going to put more money behind it. But you’ve still got to persuade people to go and visit the site.

Unfortunately, very often people are reactive. They don’t start learning about something until something goes wrong. And I am afraid there will always be some gullible idiots out there and there are people who don’t have the time – there is always something more important to do so they don’t learn until too late. And I think we have to accept that to a certain extent.

GB: Last year the government claimed that the current regime was ‘fit for purpose’. Four weeks later we had the HMRC debacle. Do you think government is now taking information management and cybercrime seriously?

LE: Yes, definitely. I was talking to the Minister [of Information] two days ago. They’re putting £15m into the national fraud reporting centre and they have no come to realise you need some teeth to it, you need to enforce it. I hope they’re not going to be silly enough not to fund the national e-crime unit, who would go out and do something about it. They are certainly looking at other things like funding. I think they’re beginning to realise that they’ve got to do something; they can’t just wait for the world to go by.

The HMRC discs were very useful from that respect; they woke everyone up without any damage being done. Well apparently…

GB: Can you see a time when a qualification such as the European Computer Driving Licence might be mandatory? We obviously have to take driving lessons and a test before we can drive a car because of its implications for other road users. Do you think it should be the same for computer users?

LE: What worries me about those things, and particularly with the current rate of advance in the way we do things online, is that you are being tested on something that’s five years out of date. And what are you going to test on? Social networking behaviour? Web 2.0? Etiquette in how you handle people’s personal data? I don’t know. I think it depends what you are trying to teach.

I am a little cynical about it. A lot of these initiatives sound great on paper because people say that something needs to be done about it. But will it be effective? Will it really change behaviour? Will it really prevent the bad guy doing what they want?

For small and medium sized enterprises, the world is a difficult place I’m afraid. It is essential to allocate a bit of budget to speak to some people who know what they’re talking about in order to decide what the risks are that you need to mitigate. And that is a problem: it always comes down to budget.

One of the problems with small businesses and start-ups is the fact that if you’re lucky enough not to get caught by something going really wrong in your first few years, you’re one of the success stories. All too often something comes from left-field and takes you out before you’re big enough to be doing all the things you should be doing to protect yourself. And that’s being an entrepreneur.