Friday, June 27, 2008

HMRC data loss findings

When the UK goverment, more specifically HM Revenue & Customs (HMRC) lost CDs containing 25 million child benefit records last year, it was front page news for a whole week. I wrote about it at the time and gave my usual 2 cents.

They've been on the news again this week for the past couple of days as the findings from the independent investigations into the incident were just released. I've been seeing Prime Minister Gordon Brown and Chancellor Alistair Darling back-pedalling in parliament all week due to attacks by the opposition party on the issue.

It's not too difficult to find the story online, but here (link 1, link 2, link 3) are a few to get you started.

One of the findings stated that:
"Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data"

While another report stated that there was
"no visible management of data security at any level".
The reports also alluded to the fact that no single person working for HMRC was to blame.

If you don't feel like reading my lengthy post on the incident last year, I'll highlight a section from that post here:
The chances of something like this occurring would have been far less if HMRC had properly implemented the following (in order of importance):
  1. Decent security awareness training and education - User awareness will drastically reduce bad practices. People don't want to do the wrong thing. They just don't know when they are doing the wrong things.
  2. More security training and education - Keep it fresh and up-to-date. Things change VERY quickly in the IT security game. It also helps to remind people from time to time that security is important. It NEEDS to be part of corporate culture because otherwise, things just fall in a heap.
  3. Properly defined identity and resource/data access policies - Know what systems, applications, resources and data you need to protect and who should have access to them. Without this, all the technology in the world will not help.
  4. Properly implemented policies supported by relevant technology solutions - Policies alone will not protect you against the bad guys and the "idiot" (too stupid to understand the security policies) or "lazy" (can't be bothered reading the security policies) user. There are also many of us who fall into the "I know I shouldn't be doing this but I'm not doing this as a bad guy - I just want to make my job easier" category.

Looks like I wasn't too far off the mark. At the core of the failure was indeed the age old problem of minimal (or no) security awareness training and education and lack of any management and controls.

Apparently the government have been doing something about it and have in fact finished implementing some of the initiatives. It's not surprising given the amount of publicity the incident generated and the beating they got over it. Hopefully they keep at it and also apply the same controls across other departments (unlikely to happen anytime soon, but one can hope).

Now, if only they could figure out how to stop employing senior officials who are idiots and leave top secret documents on trains (see here and here).

No comments: