Survey finds HMRC breach recommendations being ignored
Three years later and another 'HMRC' could happen
The survey showed that some of the lessons had been heeded, with 82% of companies now having systems in place to allow them to transfer data. A further positive conversion is the decline in the use of email, from 35% in 2008 to just 16%, and a considerable increase in the adoption of secure email, up at 42%. However, it's not all good news as a worrying 67% have now adopted File Transfer Protocol (FTP) as their preferred method to transfer sensitive data with a risky 28% trusting web based services.
Mark Fullbrook, UK Director for Cyber-Ark, explains why this strategy isn't as secure as organisations may believe, "With FTP, and even encrypted FTP sessions, the problem arises after data has moved while it sits on the FTP or SFTP server in plain text. The nature of the beast means the service is directly connected to the internet leaving it open to violation, and as there is no audit trail, no record of who accessed the files. More alarmingly is those organisations that are using a web based offering - they may just as well stand on a street corner and give away their information as these services just weren't designed with sensitive corporate data in mind."
There are 10 security principles in the Poynter report, the 8th of which is that 'Transfers of digital data involving physical media should be phased out completely'. However, our research has shown that instead of this method decreasing it would appear to be increasing. Initially 4% of respondents questioned in 2008 used the postal system to transfer large files, however this year that figure has increased to 11% as companies struggle to find simple and reliable ways to transfer large files.
Fullbrook added, "Last month Deputy Commissioner at the ICO, David Smith, said that although breach notification is currently voluntary, if he has his way there is every prospect that it would become a legal requirement. Additionally, it is well documented that the ICO has been arguing for prison sentences for those who 'con' information out of companies and sell on data. That's on top of the £500K fines they can now impose. A secure, centralised platform for governing and managing business filetransfers, such as Cyber-Ark's Inter-Business Vault® not only enables organisations to comply with the principles of the Data Protection Act satisfying the ICO, but adoption of this technology can also save time and money."
From a compliance standpoint, centralising all filetransfers into a single secure, scalable governed file transfer platform enables organisations to comply with regulations such as PCI, SOX, HIPAA and Basel II by ensuring strong authentication, enforcing audit controls and providing tamperproof audit logs.
Beyond guarding against breaches, automation enables companies, particularly those in highlyregulated sectors such as financial services and healthcare, to mitigate the business risk of sensitive data loss or exposure.
Fullbrook concluded, "It's not just about security, it's about the ability to ensure productivity and guarantee the integrity of business operations. Investing in the right technology and processes now will go a long way to getting ahead of the growing volume of data transfers while meeting the demand for providing a better, faster service at lower costs, securely."
Cyber-Ark Software Inc.
Cyber-Ark® Software is a global information security company that specialises in protecting and managing privileged users, applications and highlysensitive information to improve compliance, productivity and protect organisations against insider threats. With its awardwinning Privileged Identity Management (PIM) and Highly-Sensitive Information Management software, organisations can more effectively manage and govern application access while demonstrating returns on security investments. Cyber-Ark works with more than 600 global customers, including more than 35 percent of the Fortune 50. Headquartered in Newton, Mass., Cyber-Ark has offices and authorised partners in North America, Europe and Asia Pacific. For more information, visit www.cyber-ark.com.