As the fallout for the HMRC blunder continues, leading figures in the security industry have lost no time in examining where the Government went wrong and offering suggestions to companies as how to not make the same mistake themselves.
The general consensus is that the blunder made by HMRC was as much a failure of protocol as much of processes, but that the incident could be attributed to other equally as important issues regarding protecting information that firms had to consider.
In a general briefing to media, Roy Harari, UK MD at Comsec Consulting suggested that a breach of this kind was inevitable, and remains so without the implementation of the most basic of security audits. He added that the task for HMRC was to go about implementing a set of security policies that will ensure that the personal and financial details of millions of
David Howorth, Regional VP, EMEA sales & professional services, Verizon Business Security Solutions EMEA told ComputerWeekly that from his perspective the reality is that losing 25 million confidential records was a failure of process and that firms should be aware of the other key issues at play. “[Whilst] it’s down to a failure of individuals within the organisation making the wrong decisions, ultimately whether you are a public or private organisation, the key thing is or lesson learnt out of this is good information security is not just about information that sits on IT systems, it’s about looking at [the issues] holistically and looking at data in whatever form it may sit in, whether in printed form or on CD or on the network and this is a common problem that exists across the industry.”
One point of view that had been readily expressed by the IT industry had been that more advanced technology would have prevented the discs being sent or that more advanced encryption techniques would have at least made difficult the task of extracting data from the missing discs. Howorth suggested though that there was more to the matter than just technology. “Looking at the technology solutions available to prevent this problem from happening, my personal view is that in every situation of course there is technology that can be there to support a process…but you can’t deploy technology until you understand which data you have is important and where it actually lies. We are talking about the importance of classification and [asking] where does that data lie within my organisation.