Chancellor Alistair Darling has been widely castigated since he blamed a breach of internal procedures at HMRC for the loss of the records. In his address last Tuesday he told a packed Commons that a junior employee was chiefly responsible because he went against orders when he fatefully used the department’s untracked internal mail system to send password-protected discs containing a full, unecrypted copy of HMRC’s child benefit data to the NAO.
But IT chiefs have said that the incident should not be used simply to bait the government but must serve as a reminder about organisations’ ongoing security obligations and strategies while maintaining service and efficiency levels.
Richard Gifford, IT director of construction and property firm Rok, said the lost data “serves as a good reminder to all of us to make sure we have the appropriate security measures in place and to think before transmitting information.”
He said it was “clearly worrying” that government agencies that are used to handling sensitive information could make such mistakes, and the breach should prompt “a review of all agencies, with the scope extending to people, processes, technology as well as physical access.”
Colin Simpson, group systems manager of brewery and pub retailer Fullers, said it was “clearly difficult to legislate for someone not following procedure but this is really a management issue rather than an IT one.”
And among public sector IT chiefs, there was even more strong worded concern that systems are put in place to stop such fundamental lapses.
Richard Steel, CIO of Newham council in East London, said he was “appalled” by the HMRC breach, while Hampshire council’s IT chief Jos Creese said: “It is essential for all public service organisations, if they are to have the confidence of the public regarding the way in which they hold and use confidential and private information, that the necessary procedures and controls are in place.”
Creese said Hampshire’s approach had been to adopt the ISO27001 security standards and treat security and confidentiality of data very seriously.
He added: “Fortunately, to date we have had no incidence of loss of confidentiality or breach of privacy, but it is a constant concern even though we work to reduce risks."
Steel said of Newham’s practices: “We are introducing role-based access to databases, have introduced a ‘password safe’ to provide staff with their own ability to recover lost passwords, and minimise the temptation for them to write them down. And we are pursuing identity management and authentication initiatives.”
In the private sector, one IT chief said the key lesson of the breach was that “there is a balance to be struck between locking everything down behind impenetrable walls and achieving a level of flexibility that enables businesses and their customers to embrace changing priorities and technology opportunities.”
Another admitted that his firm had “probably not done enough” security-wise. “But aside from the normal policy and procedures, the skills and ability to extract customer, supplier or financial data is limited to very few people,” he added.
“The steps that would need to be taken do not include a simple menu option and the placing or a CD/DVD in a drive – in our case it would need SQL skills, knowledge of database structures and the appropriate permissions. Difficult, but not impossible for someone with the intent, skills and access.”
Some CIOs admitted that they were not taking any extra steps to ensure security, but several said the board was likely to be that much keener to learn of security policies and understand if the IT department and wider management believes there is an issue.