HMRC breach recommendations being ignored
24 months since the publication of the Poynter report which was commissioned after the HMRC breach, and almost three years since the original misplaced discs came to light, and a similar breach could occur again.
A survey by Cyber-Ark has discovered that 19% of companies are still using couriers to send large or sensitive files, the insecure transfer method utilized originally by HMRC which left a disc containing child benefit information missing in London! The survey was carried out amongst 238 IT security professionals at Infosecurity Europe.
The survey showed that some of the lessons had been heeded, with 82% of companies now having systems in place to allow them to transfer data. A further positive conversion is the decline in the use of email, from 35% in 2008 to just 16%, and a considerable increase in the adoption of secure email, up at 42%. However, it’s not all good news as a worrying 67% have now adopted FTP as their preferred method to transfer sensitive data with a risky 28% trusting web based services.
There are 10 security principles in the Poynter report, the 8th of which is that “Transfers of digital data involving physical media should be phased out completely’. However, our research has shown that instead of this method decreasing it would appear to be increasing. Initially 4% of respondents questioned in 2008 used the postal system to transfer large files, however this year that figure has increased to 11% as companies struggle to find simple and reliable ways to transfer large files.
From a compliance standpoint, centralizing all file-transfers into a single secure, scalable governed file transfer platform enables organizations to comply with regulations such as PCI, SOX, HIPAA and Basel II by ensuring strong authentication, enforcing audit controls and providing tamper-proof audit logs.
Beyond guarding against breaches, automation enables companies, particularly those in highly-regulated sectors such as financial services and healthcare, to mitigate the business risk of sensitive data loss or exposure.