Security rarely makes peoples jobs simpler and more straight forward - sad but true. Security is something CEOs and MDs allocate budgets to because it looks good to their shareholders or they are worried about the Data Protection Act or Sarbanes Oxley.
Often a scare might inspire a sudden interest and maybe sponsorship of a security related project. Unfortunately as ever in life nothing is that simple - you can spend millions on security - like the HMRC do - but suddenly someone can completely bypass everything because it gets his job done quickly.
Mr Darling and Her Majesties Revenue and Customs are not alone in their singular lack of understanding in security. It happens everywhere - in any organisation - on one side we have the Security team enforcing strict data management, handling and secure working practices. On the other we have lots of departments completely ignoring all this advice because it makes life so much more difficult. It creates a strange sort of paradox in security - almost surreal - one department will be extremely vigilant in all security related practices - and will soon gain a reputation for being awkward and inefficient. The next department will develop a friendly laissez fair attitude to the security practices and will cultivate a positive and get things done type reputation.
If I want to get home on time I know which one I want to deal with! But real security requires dedication and a real commitment - it s not a series of a projects - it is a fundamental ideal of any organisation - their core working practices and corporate ideology. The pursuit of security doesn t fit in well with maximizing profit or streamlining processes - yet the consequences of ignoring security can be catastrophic.
From a security perspective - HMRC have ignored so many basic security principals it is difficult to comprehend. The classification of this data should ensure that it receives the most secure treatment especially during transit. It is clear this is not the case - that the data has not been properly classified and no attempt has been made to secure the data beyond the rather pathetic password protection. It is easy to point the finger at the junior manager who authorized or arranged this - but it is certainly not where the blame lies. To copy this data to a disk should be technically impossible without senior authorization. The value and importance of this data should be so deeply ingrained within the Departmental psyche that the thought of copying to CD and popping in the post should send so many alarm bell ringing that it would never happen.
So is this data valuable? It is pure gold dust to the criminal fraternity - the profit potential from those two disks is difficult to imagine but it is definitely not limited to simple bank fraud.
We will see in the next few days how the media, the public and politicians react to this incredible situation. The pure scale of this incident I suspect will have major far reaching implications throughout the world.
IT Security and Search Engine Experts
Bookmark it:
No comments:
Post a Comment