A data breach like HMRC's loss of 25 million child benefit records on two optical storage discs could very easily happen again, a survey has revealed.
The Poynter review recommended that the transfer of digital data involving physical media should be phased out and replaced by secure electronic exchange methods.
But 19% of companies are still using couriers and 11% are still using postal services to send copies of large or sensitive files, a survey of more than 200 IT security professionals at Infosecurity Europe found.
Some 28% are relying on web-based services and more than two-thirds (67%) have adopted File Transfer Protocol (FTP) to send sensitive data, the survey found.
"Web services are risky and FTP is not as secure as organisations believe," said Mark Fullbrook, UK director of security firm Cyber-Ark, which commissioned the survey. "With FTP, and even encrypted FTP sessions, the problem arises after data has moved while it sits on the servers in plain text."
The service is directly connected to the internet, leaving it open to violation as there is no audit trail, no record of who accessed the files, said Fullbrook.
"More alarming is those organisations using a web-based offering. They may just as well stand on a street corner and give away their information as these services were not designed with sensitive corporate data in mind," he said.
Addressing the problem
However, the survey showed some improvements too, with 82% of respondents indicating they had systems in place to allow them to transfer data.
Fewer organisations are relying on e-mail to transfer data, with only 16% still using it, down from 35% in 2008.
Centralising all file transfers into a single secure, scalable governed file transfer platform enables organisations to comply with most regulations by ensuring strong authentication, enforcing audit controls and providing tamper-proof audit logs, said Fullbrook.
"Beyond guarding against breaches, automation enables companies, particularly those in highly regulated sectors such as financial services and healthcare, to mitigate the business risk of sensitive data loss or exposure," he said.
Since 6 April, the Information Commissioner's Office has been empowered to fine UK organisations up to £500,000 for serious data breaches.