Learn your lesson from Revenue and Customs to avoid a security meltdown
There have been shouts of ridicule at the recent security failings of Revenue and Customs (HMRC) which enabled the sensitive details of millions of child benefit recipients to get ‘lost’ somewhere within their postal service. But there is actually an important lesson to be learnt here. It’s easy to point the finger of blame with the benefit of hindsight, but it’s an episode which business owners would do well to view as a warning and learn from. Data is a valuable resource which can be easily lost or stolen if stringent security measures aren’t in place and actively enforced. The responsibility for making sure that this happens starts right at the top of your organisation, with you, explain’s Derrick Cameron, Managing Director of Eximium.
Businesses across the UK and the world have spent a lot of time and money ensuring that data is well secured within the virtual world of their computer systems with limited access, passwords, encryption etc. Organisations such as HMRC no doubt have rigorous procedures to protect the data while it is inside their computers – but information exists to be used, which automatically puts its security at risk. So what procedures do you have in place to ensure the protection of your data once the information leaves the security of its virtual world?
Protecting data on the move
Start by identifying all the potential ways that sensitive information could find its way out of your systems and your organisation, and make sure you have strict policies and safeguards to address any areas of risk. Ideally, different organisations’ systems should be able to talk to each other, so that passing data between them using an insecure medium such as CDs or flash drives is unnecessary. But for many companies, this is still some way in the future, so if this isn’t possible, at the very least you need to ensure that security procedures for the physical world are at least as stringent as those for the virtual world inside your computers.
When data is transferred between parties, it is at its most vulnerable, so look at ways of making the transfer process as safe as it can possibly be. Electronic transmission methods, such as secure FTP (File Transfer Protocol), or a secure site to site connection using a leased line or a VPN (Virtual Private Network) over the Internet are both preferable options that ensure the data cannot be seen by unauthorised personnel.
If you have no choice but to resort to using CDs or other ‘removal media’ for the transfer of sensitive information, don’t choose to use couriers or postal services unless absolutely necessary. It’s far more secure for an employee to hand deliver the media, making sure that it has reached the correct personnel at its destination. You also need to have a policy on what happens to the media once it has been used - ideally it should be returned to the source to be destroyed. Whilst this isn’t a foolproof method, it does enable you to track your data and ensure its safe return.
Don’t let your staff be your Achilles Heel
As appears to be the case with HMRC, many security breaches are committed by the people who work for you – often unwittingly. Equally, hacking and other deliberate attempts to access secure information often begin as an approach from someone trying to get sensitive information from an employee, using a confidence trick – known as social engineering. A social engineer may well pretend to work for your company and get an unsuspecting member of staff to reveal confidential information. For example, by pretending they work for your company’s IT section and asking for your employee’s password to confirm their login details are working. From here, the skilled social engineer may then be able to access your sensitive data however they want to, whenever they like – and all that information is now at risk.
However, there is something you can do to help prevent this happening in your organisation, and it is really quite simple: communication. It is often easy to assume that everyone who works within your company has the same understanding of data security as you do – but this is rarely the case. As the manager, owner or director of an organisation, it is your responsibility to ensure that those who work for you understand the what, why and how of data security.
Making policy practice
Your starting point should be a clear and practical data security policy which everyone is aware of, has read, understood and signed – even the cleaning staff. Put policy into practice and communicate the gravity of data security by making any violation a dismissible offence. Your Staff must know which data is sensitive, why, and how to protect it. After all, if this isn’t made clear to your people, how can they be expected to ensure its security?
First and foremost, your staff need to understand why they must never give sensitive information out to anyone unless the proper procedure has been followed – unfortunately employees at HMRC have learnt this the hard way. In addition, if a third party does need access to data, make sure they only receive the information they need, and that any sensitive data is either encrypted, removed or disguised. In this case at Revenue and Customs, the National Audit Office didn’t actually need most of the sensitive information on the disks - like bank details - so this information was exposed to unnecessary risk. Further errors of judgment and common sense were revealed in the subsequent story of KPMG receiving copies of similar disks. In this instance, they requested only a fraction (1500 or so) of 25 million records that they were actually sent!
Keeping control over what people can access is vital: if someone needs to retrieve sensitive information, the safest choice is to give them a user id and password which enables them to access the system directly. You can then control exactly what information they are able to see and what they can do with it. Similarly, if analysis of data is required, it is better for someone in your organisation to create a report that carries out the analysis, and send this to the third party rather than all the detailed information in the source database. The golden rule is to limit access to data so that people see only the information that they need – never expose sensitive data unless absolutely necessary.
The faults in security at HMRC were many, and perhaps the most serious security breach was the fact that a junior member of staff was allowed access to extract a complete database of sensitive information, coupled with the fact that they were then allowed to put that unencrypted information in a packet and post it without any need for authorisation from a senior member of staff. Whether it was HMRC policy or practice at fault, or most likely a combination of both, the repercussions of this massive security breach will be felt for a long time to come. So learn from the mistakes of these embarrassed officials and make sure that you address these issues within your own organisation – or you could be next.
Derrick Cameron is Managing Director of Eximium Ltd, who specialise in helping businesses use their IT to solve their business headaches. He has been in the IT industry for 20 years. For further information or advice on the use of IT in your business, please see www.eximium.net or call 01582 635 078.
This entry was posted on Sunday, December 2nd, 2007 at 11:18 am and is filed under Articles, IT Advice, IT Consultancy . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
