Blame organisational failure not junior staff over lost HMRC records

Blame organisational failure not junior staff over lost HMRC records

Blame organisational failure not junior staff over lost HMRC records

Article comments

During the past few months there has been a litany of reports involving the loss of personal information that is highly valuable to criminal organisations.

The Information Commissioner has highlighted these breaches in numerous reports. Do data holders think they can simply ignore him or do they just not understand what good practice really is?


It is naïve to blame junior officials for the HM Revenue and Customs (HMRC) data leak, rather than organisational failure. When it comes to data management, the human element is often the weakest link, while education is usually a low priority. An assumption prevails that people will do the 'right thing'. This is a dangerous approach. You have to ask what training did the 'junior staff' receive that would enable them to recognise the dangers of their actions?

Often organisations have information security policies that concentrate on the infrastructure that holds the data, but ignore securing the data itself. The IT security policy sits in the shiny folder on the shelf and gives them a warm and comfortable feeling. Unless the policy is taken off the shelf occasionally for testing and review, then the folder is only providing a false sense of security.

Even if the HMRC has good security practices, you have to question when the policies were last tested.

For everyone’s sake, this incident must be the wake-up call for those with responsibility for the security of personal information, whether in the public or private sector.

The fact it has taken over a month since the incident for the government to tell the public, banks and police, suggests that the incident response procedures were also not effective. Incident response plans are an integral part of information security best practice and should kick in immediately after an incident occurs.

The government has been lucky on this occasion in that it is possible that the discs have not fallen into the hands of a criminal organisation. If they had, the time between the incident and the response would have given them ample opportunity to maximise their potential gains and cause pre-Christmas misery for thousands.

Share:

Comments

Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *