Fallout from HMRC debacle spurs security advice

General consensus that HMRC's blunder as much a failure of protocol as much of processes, but the incident could be attributed to other equally as important issues

As the fallout for the HMRC blunder continues, leading figures in the security industry have lost no time in examining where the Government went wrong and offering suggestions to companies as how to not make the same mistake themselves.


The general consensus is that the blunder made by HMRC was as much a failure of protocol as much of processes, but that the incident could be attributed to other equally as important issues regarding protecting information that firms had to consider.


In a general briefing to media, Roy Harari, UK MD at Comsec Consulting suggested that a  breach of this kind was inevitable, and remains so without the implementation of the most basic of security audits. He added that the task for HMRC was to go about implementing a set of security policies that will ensure that the personal and financial details of millions of UK citizens are treated with the respect that he felt they quite obviously deserve?


David Howorth, Regional VP, EMEA sales & professional services, Verizon Business Security Solutions EMEA told ComputerWeekly that from his perspective the reality is that losing 25 million confidential records was a failure of process and that firms should be aware of the other key issues at play. “[Whilst] it’s down to a failure of individuals  within the organisation making the wrong decisions, ultimately whether you are a public or private organisation, the key thing is or lesson learnt out of this is good information security is not just about information that sits on  IT systems, it’s about looking at [the issues] holistically and looking at data in whatever form it may sit in, whether in printed form or on CD or on the network and this is a common problem that exists across the industry.”


One point of view that had been readily expressed by the IT industry had been that more advanced technology would have prevented the discs being sent or that more advanced encryption techniques would have at least made difficult the task of extracting data from the missing discs. Howorth suggested though that there was more to the matter than just technology. “Looking at the technology solutions available to prevent this problem from happening, my personal view is that in every situation of course there is technology that can be there to support a process…but you can’t deploy technology until you understand which data you have is important and where it actually lies. We are talking about the importance of classification and [asking] where does that data lie within my organisation.


“It’s key to look at the controls around that  and over and above it’s key to look at a user level that people understand the importance of data and understand some of the key principles when it comes to protecting it. You can build controls into that and it’s key for any organisation, whether public or private, to make sure that at a user level there is full awareness of these risks and so people at any given moment and any given point of a process have the opportunity to question and to judge what they are actually being asked to do conforms to best process.”

Read more on IT risk management