Survey finds HMRC breach recommendations being ignored

Three years later and another 'HMRC' could happen

(PresseBox) ( Dedham, )
24 months since the publication of the Poynter Report which was commissioned after the HMRC breach, and almost three years since the original misplaced discs came to light, and a similar breach could occur again. In a survey released today by Cyber-Ark, the leading global software provider for protecting critical information, applications and identities, has discovered that 19% of companies are still using couriers to send large or sensitive files, the insecure transfer method utilised originally by HMRC which left a disc containing child benefit information missing in London! The survey was carried out amongst 238 IT security professionals at Infosecurity Europe (London) in April.

The survey showed that some of the lessons had been heeded, with 82% of companies now having systems in place to allow them to transfer data. A further positive conversion is the decline in the use of email, from 35% in 2008 to just 16%, and a considerable increase in the adoption of secure email, up at 42%. However, it's not all good news as a worrying 67% have now adopted File Transfer Protocol (FTP) as their preferred method to transfer sensitive data with a risky 28% trusting web based services.

Mark Fullbrook, UK Director for Cyber-Ark, explains why this strategy isn't as secure as organisations may believe, "With FTP, and even encrypted FTP sessions, the problem arises after data has moved while it sits on the FTP or SFTP server in plain text. The nature of the beast means the service is directly connected to the internet leaving it open to violation, and as there is no audit trail, no record of who accessed the files. More alarmingly is those organisations that are using a web based offering - they may just as well stand on a street corner and give away their information as these services just weren't designed with sensitive corporate data in mind."

There are 10 security principles in the Poynter report, the 8th of which is that 'Transfers of digital data involving physical media should be phased out completely'. However, our research has shown that instead of this method decreasing it would appear to be increasing. Initially 4% of respondents questioned in 2008 used the postal system to transfer large files, however this year that figure has increased to 11% as companies struggle to find simple and reliable ways to transfer large files.

Fullbrook added, "Last month Deputy Commissioner at the ICO, David Smith, said that although breach notification is currently voluntary, if he has his way there is every prospect that it would become a legal requirement. Additionally, it is well documented that the ICO has been arguing for prison sentences for those who 'con' information out of companies and sell on data. That's on top of the £500K fines they can now impose. A secure, centralised platform for governing and managing business filetransfers, such as Cyber-Ark's Inter-Business Vault® not only enables organisations to comply with the principles of the Data Protection Act satisfying the ICO, but adoption of this technology can also save time and money."

From a compliance standpoint, centralising all filetransfers into a single secure, scalable governed file transfer platform enables organisations to comply with regulations such as PCI, SOX, HIPAA and Basel II by ensuring strong authentication, enforcing audit controls and providing tamperproof audit logs.

Beyond guarding against breaches, automation enables companies, particularly those in highlyregulated sectors such as financial services and healthcare, to mitigate the business risk of sensitive data loss or exposure.

Fullbrook concluded, "It's not just about security, it's about the ability to ensure productivity and guarantee the integrity of business operations. Investing in the right technology and processes now will go a long way to getting ahead of the growing volume of data transfers while meeting the demand for providing a better, faster service at lower costs, securely."
The publisher indicated in each case is solely responsible for the press releases above, the event or job offer displayed, and the image and sound material used (see company info when clicking on image/message title or company info right column). As a rule, the publisher is also the author of the press releases and the attached image, sound and information material.
The use of information published here for personal information and editorial processing is generally free of charge. Please clarify any copyright issues with the stated publisher before further use. In the event of publication, please send a specimen copy to