As
thefallout for the HMRC blunder
continues, leading figures in the security
industry have lost no time in examining where the Government went
wrong and offering
suggestions to companies as how to not make the same mistake
themselves.
The general
consensus is that the blunder made by HMRC was as much a failure of
protocol as much of processes, but that the incident could be
attributed to other equally as important issues regarding
protecting information that firms had to consider.
In a general
briefing to media, Roy Harari, UK MD at
Comsec Consulting
suggested that a breach of this kind was inevitable, and remains
so without the implementation of the most basic of security audits.
He added that the task for HMRC was to go about implementing a set
of security policies that will ensure that the personal and
financial details of millions of UK citizens are treated with the
respect that he felt they quite obviously deserve?
David Howorth,
Regional VP, EMEA sales & professional services,
Verizon Business
Security Solutions EMEA told ComputerWeekly that from his
perspective the reality is that losing 25 million confidential
records was a failure of process and that firms should be aware of
the other key issues at play. “[Whilst] it’s down to a failure of
individuals within the organisation making the wrong decisions,
ultimately whether you are a public or private organisation, the
key thing is or lesson learnt out of this is good information
security is not just about information that sits on IT systems,
it’s about looking at [the issues] holistically and looking at data
in whatever form it may sit in, whether in printed form or on CD or
on the network and this is a common problem that exists across the
industry.”
One point of view
that had been readily expressed by the IT industry had been that
more advanced technology would have prevented the discs being sent
or that more advanced encryption techniques would have at least
made difficult the task of extracting data from the missing discs.
Howorth suggested though that there was more to the matter than
just technology. “Looking at the technology solutions available to
prevent this problem from happening, my personal view is that in
every situation of course there is technology that can be there to
support a process…but you can’t deploy technology until you
understand which data you have is important and where it actually
lies. We are talking about the importance of classification and
[asking] where does that data lie within my organisation.
“It’s key to look at the controls around that and over and above
it’s key to look at a user level that people understand the
importance of data and understand some of the key principles when
it comes to protecting it. You can build controls into that and
it’s key for any organisation, whether public or private, to make
sure that at a user level there is full awareness of these risks
and so people at any given moment and any given point of a process
have the opportunity to question and to judge what they are
actually being asked to do conforms to best process.”