Shutting the door on data breaches

When HMRC lost discs containing the personal data of 25 million people last November, the security industry was given some serious ammunition to pitch products to prevent data leakage.

When HMRC lost discs containing the personal data of 25 million people last November, the security industry was given some serious ammunition to pitch products to prevent data leakage.

The HMRC records breach was continually used as a reference point in the following months and the government kindly did its bit to keep the issue at the top of the agenda with further data breaches.

The response to the incident is a hefty 109-page report from Kieran Poynter, chairman and senior partner at PricewaterhouseCoopers, which contains several recommendations that will grab the channel's attention.

In a section entitled "what does good information security look like?" Poynter outlines several areas that resellers have been pushing, including implementing security policies, access controls and management tools to monitor infrastructure.

"As far as we can tell, no principles exist to govern how the public sector should approach information security and what the contract should look like between it and its customers," states the report.

The report then lists 10 steps to be taken, including ending the practice of transferring data on physical media, and encrypting computers and removable media so that, if they are lost or stolen, no data or information on them can be accessed.

Dave Ellis, director of e-security, professional services and training at Computerlinks, said Poynter's report would maintain the focus on encryption. He believed the current market resembled that enjoyed by anti-virus vendors a few years ago.

"If you spoke to anti-virus vendors about four years ago, there was so much attention on outbreaks in the media with people having their fingers burnt it helped the channel. The HMRC and other data loss problems have had the same effect," he said.

Ellis said anything that gave resellers the chance to start a conversation about encryption before developing into a pitch of the bigger picture would be welcome.

Those on the front line responding to the strong demand for encryption products pointed out they were already getting customers to look beyond encryption.

"There is evidence of increased awareness for the requirements of better security, but it is not just encryption. There has been interest in compliance in a wider sense," said Bernard Parsons, chief executive at BeCrypt.

Despite the high-profile data leaks, there are continuing signs that large parts of the customer base have yet to deploy encryption.

Erol Mustafa, head of IT internal services at Ernst & Young, said the findings of a survey it had undertaken among CIOs and internal administrators had revealed there was still complacency among businesses.

According to the consultancy, specialist internal audit heads ranked corporate breaches and data privacy regulation sixth in their top 10 IT risks for the organisation, while for CIOs it only just made it onto the list, in ninth place.

"On the one hand CIOs are saying IT security is the key risk, but privacy and fraud are much lower priorities. There has been a historic failure to recognise that security is a much broader issue," said Mustafa.

The feeling that there was still a large untapped market for the channel to target was backed up by other channel players.

Nick Lowe, managing director for Northern Europe at Check Point, said: "The Poynter report recommendation that computers and removable media should be encrypted is absolutely right. This is where there's a real channel opportunity. When we surveyed UK companies after the HMRC leak in December last year, 52% had no data encryption deployed at all."

Read more on Topics Archive