It couldn't happen again, could it...?
Three years on, could another ‘HMRC’ really happen? 24 months since the publication of the Poynter Report commissioned in the aftermath of the HMRC breach, and almost three years since the original misplaced discs, a similar breach couldn’t occur again, could it…?
Well the reality was, that it took just over a year… August 2008 to be precise, when Zurich Insurance South Africa lost an unencrypted back-up tape during a routine transfer to a data storage centre. As there were no proper reporting lines in place Zurich UK didn’t learn of the incident until a year later, it emerged from the subsequent FSA investigation.
Zurich UK failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement. It also failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime.
And today Zurich Insurance has 2.3 million reasons to be more vigilant with its data. But does the punishment fit the crime and are we really learning any lessons… Zurich lost 46,000 customer records, and the FSA appears to have valued them at a little under £50 each in terms of the fine imposed.
The consequences of losing confidential data on unsecure physical devices can be damaging to reputations, embarrassing to organisations or lead to chunky fines, but the consequences can be devastating for the victims, leaving their personal details unprotected against malicious fraudsters. Why, in a digital economy, are businesses and government still using old-fashioned physical means to transfer important data? Surely this is wholly negligent. After countless examples of lost tapes, laptops and USB sticks it is time that executives put a stop to this.
This incident raises a much wider debate about organisations’ overall approach to data security. It’s not simply a matter of increasing encryption rates; it’s about ensuring the reduction of scenarios where physical devices containing confidential information are moved around offsite. Organisations need to treat customer data with the same level of security as they do company cash. A bank wouldn’t take a year to notice missing money, so why is critical customer information being treated with a lower level of priority? Because organisations are too myopic or lazy to impose mandatory policies and procedures to enforce only encrypted electronic transfer for sensitive information, so sending a USB stick is the easy option. Company executives and government ministers should mandate the abolition of removable media for data transfer and move to secure electronic means instead.
Head of Research & Content
The National Computing Centre
(ITadviser, Issue 63, Autumn 2010)
Download the whole issue as a PDF: ITadviser, Issue 63, Autumn 2010
Nearly half of the small businesses in the Forum of Private Business are pleasantly surprised by the Budget and believe that policies announced by the Chancellor George Osborne are better than expected but 11% feel they are worse and could plunge the economy back into recession.Many entrepreneurs feel this Budget ... read more..
industry newsFacebook announced its simplified privacy controls in response to a growing storm of criticism consolidating all controls into a single page where users can choose whether all content can be viewed by friends, friends of friends, or everyone.But privacy groups want more and specifically want Facebook to make its ... read more..
industry newsWhile MPs are promising more transparency and honesty in politics, perhaps the IT industry should follow suit. A recent survey in June by Tufin Technologies revealed that IT professionals admit to cheating on an IT audit! According to the survey of 242 IT professionals mainly from organisations employing 1,000 ... read more..
IT security Should organisations be embracing new technologies or refraining until budget constraints are lifted? Martin Blackhurst, head of IT security at Redstone Managed Solutions, highlights the top priorities for IT security spending that organisations cant afford to miss if they are to reap the benefits of new technologies whilst ... read more..
collaboration networksThe first in a new series of articles focused on collaborative technologies and social networking.Today, everything is social - social commerce, social business, social CRM, the list goes on and on. Social has become a multifaceted word in the realm of business. It carries with it a lot of ... read more..
information managementJonathan Lampe, vice president, product management, Ipswitch.Another day, another data breach. With all the attention, self-regulation and even legislation focused on information security at public and private sector organisations over the past few years, significant resources have been lavished on devising and installing systems that permit the ... read more..
cloud computingAs cloud computing adoption accelerates, the associated risks are becoming increasingly apparent, the most prominent of which is security. Rob Winter, chief engineer and Tracey Stretton, legal consultant both at Kroll Ontrack look at the challenges from their different perspectives. The benefits of cloud computing are undeniable. ... read more..
cloud computingLori MacVittie, senior technical manager, F5.Many pundits and providers have dismissed concerns regarding the readiness of the cloud for mass adoption by reminding us that cloud is an evolutionary process. It takes time to ensure providers have crossed all the ts and dotted all the is before they can ... read more..
social networkingCyber criminals are upping their game and increasingly executing targeted attacks on enterprises. The cost of cyber crime to UK businesses has more than doubled since 2008; PricewaterhouseCoopers (PwC) recently stated it costs UK businesses 10 billion a year.The abundance of personal information available on the internet is frighteningly ... read more..
at the centreThis month NCC publishes a bumper pack of GuidelinesTechnical Guidelines no5 Securing the Corporate NetworkThey provide a concise introduction to selecting and implementing an intrusion prevention system (IPS) and are designed for IT managers and business unit stakeholders. They highlight the process of procuring, implementing and managing ... read more..
The National Housing Federations IT department achieves accreditation to the NCCs ITDA.The Federation is the trade body for housing associations in England. It operates as a membership body, a lobbying organisation representing its 1,200 members, a conference organiser and a training supplier. Rob Green, head of ICT at the Federation, ... read more..
The latest NCC Members Advisory Board (MAB) in July tackled the thorny issue of the future of the IT department. With cloud computing viewed by many as a viable approach to reducing operational costs whilst maintaining service levels, will the IT department still be needed? The event was chaired by ... read more..
Amidst the 2010 GCSE results we see a worrying trend emerging for IT Whilst the number of pupils taking single sciences has surged, the overall pass rate rose again to a record 69.1%. Against a backdrop of increased pressure on university places and lobbying by business leaders to encourage the ... read more..
convergence Vendor hype has devalued the promise of unified communications and threatens to cause confusion with the move to cloud computing. In the absence of clear and unambiguous explanations of the benefits of embarking on such projects, end users could be forgiven for thinking that these are technologies without a ... read more..
virtual desktop infrastructureVDI is being adopted by companies, both large and small, to improve the experience of the user. Mark Bradley, consultant at GlassHouse Technologies (UK), explores the issues that need to be considered before embarking on the VDI journey.VDI is like any technology when implemented badly it will ... read more..
A new standard and accreditation scheme from the National Computing CentreMichael Dean meets Preston City Council, the latest organisation to achieve NCCs standard for IT departments.Preston City Councils ICT team are a busy and proud lot. The team of 27 are responsible for the end-to-end service provision for the ... read more..
outsourcingOutsourcing and offshoring trends have peaked and troughed over the last few years. As companies continue to seek to cut costs and free up resources to focus on their core competencies, outsourcing seems to have won back its appeal but is the outsourced route the wisest to take this ... read more..
enterprise security Mitigating against a rapidly changing threat landscape Danny McPherson, vice president of RD at VeriSign, explores how IT managers can help prevent their websites falling victim to the growing threat of DDoS attacks. Distributed denial of service (DDoS) attacks have become a mainstay of hackers arsenals, with ... read more..
data security complianceIts not too late to start thinking about continuous PCI compliance especially when never is not an option. Rob Warmack of Tripwire provides a strategic viewThe Payment Card Industry Data Security Standard (PCI DSS) will apply to organisations in the UK from September 30 2010. However, recent research ... read more..
mobile securityThe recent Zurich fines imposed by the FSA and the inevitability of future data breach reports in the UK prompts obvious and inevitable questions: how can these things happen in the first place? How many more times will personal information be lost without anyones acknowledgement and what can be ... read more..
green ITAs we head further into the second half of 2010, we seem better positioned to consider broadening our horizons to encompass corporate growth, more dynamic business strategies and importantly the companys environmental footprint. Reinforcing this trend, legislation such as the CRC Energy Efficiency Scheme has, for many organisations, ... read more..
enterprise securityCan data be protected and accessible? Chris McIntosh, CEO of Stonewood, poses the question and a few thoughts.Threats to data are, sadly, becoming more and more a fact of life. At the same time, organisations need to walk a fine line between responding to these threats and enabling their ... read more..
- without knowing what questions to ask your cloud vendor before you commit? The benefits of cloud computing are undeniable. Cloud technology boasts greater flexibility to quickly and easily adjust computing and storage capacity according to business need, which means improved business agility. It provides organisations with increased data storage ... read more..
Back to school for the UK today but amidst the 2010 GCSE results we see a worrying trend emerging for IT Whilst, the number of pupils taking single sciences has surged, the overall pass rate rose again to a record 69.1%. Against a backdrop of increased pressure on university places ... read more..