Survey finds HMRC breach recommendations being ignored

Three years later and another ‘HMRC’ could happen

London, June 2010 : 24 months since the publication of the Poynter Report which was commissioned after the HMRC breach, and almost three years since the original misplaced discs came to light, and a similar breach could occur again. In a survey released today by Cyber-Ark, the leading global software provider for protecting critical information, applications and identities, has discovered that 19% of companies are still using couriers to send large or sensitive files, the insecure transfer method utilised originally by HMRC which left a disc containing child benefit information missing in London! The survey was carried out amongst 238 IT security professionals at Infosecurity Europe (London) in April.

The survey showed that some of the lessons had been heeded, with 82% of companies now having systems in place to allow them to transfer data. A further positive conversion is the decline in the use of email, from 35% in 2008 to just 16%, and a considerable increase in the adoption of secure email, up at 42%. However, it’s not all good news as a worrying 67% have now adopted File Transfer Protocol (FTP) as their preferred method to transfer sensitive data with a risky 28% trusting web based services.

Mark Fullbrook, UK Director for Cyber-Ark, explains why this strategy isn’t as secure as organisations may believe, “With FTP, and even encrypted FTP sessions, the problem arises after data has moved while it sits on the FTP or SFTP server in plain text. The nature of the beast means the service is directly connected to the internet leaving it open to violation, and as there is no audit trail, no record of who accessed the files. More alarmingly is those organisations that are using a web based offering – they may just as well stand on a street corner and give away their information as these services just weren’t designed with sensitive corporate data in mind.”

There are 10 security principles in the Poynter report, the 8th of which is that ‘Transfers of digital data involving physical media should be phased out completely’. However, our research has shown that instead of this method decreasing it would appear to be increasing. Initially 4% of respondents questioned in 2008 used the postal system to transfer large files, however this year that figure has increased to 11% as companies struggle to find simple and reliable ways to transfer large files.

Fullbrook added, “Last month Deputy Commissioner at the ICO, David Smith, said that although breach notification is currently voluntary, if he has his way there is every prospect that it would become a legal requirement. Additionally, it is well documented that the ICO has been arguing for prison sentences for those who 'con' information out of companies and sell on data. That’s on top of the £500K fines they can now impose. A secure, centralised platform for governing and managing business file-transfers, such as Cyber-Ark’s Inter-Business Vault® not only enables organisations to comply with the principles of the Data Protection Act satisfying the ICO, but adoption of this technology can also save time and money.”

From a compliance standpoint, centralising all file-transfers into a single secure, scalable governed file transfer platform enables organisations to comply with regulations such as PCI, SOX, HIPAA and Basel II by ensuring strong authentication, enforcing audit controls and providing tamper-proof audit logs.

Beyond guarding against breaches, automation enables companies, particularly those in highly-regulated sectors such as financial services and healthcare, to mitigate the business risk of sensitive data loss or exposure.

Fullbrook concluded, “It’s not just about security, it’s about the ability to ensure productivity and guarantee the integrity of business operations. Investing in the right technology and processes now will go a long way to getting ahead of the growing volume of data transfers while meeting the demand for providing a better, faster service at lower costs, securely.”

Cyber-Ark® Software is a global information security company that specialises in protecting and managing privileged users, applications and highly-sensitive information to improve compliance, productivity and protect organisations against insider threats. With its award-winning Privileged Identity Management (PIM) and Highly-Sensitive Information Management software, organisations can more effectively manage and govern application access while demonstrating returns on security investments. Cyber-Ark works with more than 600 global customers, including more than 35 percent of the Fortune 50. Headquartered in Newton, Mass., Cyber-Ark has offices and authorised partners in North America, Europe and Asia Pacific. For more information, visit www.cyber-ark.com.

Source: Eskenzi PR