RSS Alerts

Related Links

Related Stories

  • Infosecurity Europe: Lord Erroll calls for greater punishment for cybercrime
    Lord Erroll stole the limelight, and the audience’s attention on the ‘Who got caught out the last 12 months’ keynote panel at the Infosecurity Europe show in London, 28 April 2009, by calling for greater penalties and repercussions for cybercrime.
  • ISACA unveils new IT security business model
    ISACA, the Information Systems Audit and Control Association, has developed a new business model for IT security.
  • PCI: here to stay
    As retailers face the costs and changes involved in complying with the Payment Card Industry Data Security Standard, its worth and necessity are up for debate, with some arguing it gives a raw deal to retailers. Dan Ilett investigates
  • Keeping sensitive information secure when staff is leaving
    Career loyalty is an endangered creature. Unlike our predecessors, today’s workforce is unlikely to stay committed to a job for five years, let alone their entire lives. But with such a fluid stream of employees keeping human resources busy, and countless eyes being cast over company data, Rob Stringer investigates how sensitive information can stay faithful to its organisation, even if its staff don’t...
  • ISACA leader gives thumbs up to classifying security as highest priority in data center planning
    Research just published claims to show that security, price and power - in that order - are the three main drivers when it comes to companies reviewing their data center requirements.

News

HSBC hit by three million pound fine

24 July 2009

A three million pounds-plus fine imposed on three of HSBC's divisions for failing to adequately protect customer data could easily have been avoided if the banking group has made use of digital data vaulting technology, says Cyber-Ark.

"Reports that the FSA has hit HSBC's Life UK, Actuaries and Consultants plus Insurance Brokering divisions with heavy-duty fines are the direct result of the bank not using a secure mechanism to allow distributed access to customer's data," said Mark Fullbrook, UK and Ireland Director with the data integrity and security specialist, CyberArk.

"Data vaulting takes the best of encryption and IT security technologies to create data silos into which data can be stored, accessed on a shared basis and edited on a controlled - and auditable - basis," he added.

Over at BeCrypt, the cryptographic specialist, Bernard Parsons, the firm's CEO, said that the HSBC incidents highlight - yet again - the need for organisations of all types to take stock of how they protect and handle data, particularly on removable forms of media.

"It also highlights the dangers of sending (out) unprotected data when a solution is available today that can quickly encrypt data and burn it onto a CD or other removable media, therefore protecting the information whilst it is in transit," said the BeCrypt CEO.

According to Parsons, there is a need for the industry to understand the ways that such breaches can occur, how this could happen and also what can be done to circumvent the issue.

Should data be stolen, he said, on whatever the media form, it is important to note that encryption would protect whatever data was held on it

"It's classic people/processes/technology conundrum: human behaviour is unpredictable - mistakes happen or intentional malicious intent can circumvent best practice guidelines," said the BeCrypt CEO.

"This is where a solid Information Assurance policy can help protect an organisation's integrity, reputation and the data it holds," he added.

Alan Calder, an information security and IT governance expert, meanwhile, said that it seems amazing that an organisation as trusted as a global high street bank should still be caught asleep at the wheel when it comes to personal data protection.

"The FSA is to be applauded for issuing this fine, because it seems that harsh financial penalties are necessary for board directors to start taking these responsibilities seriously," Calder said.

But, added Calder, who is chief executive of IT Governance Limited, the IT security governance training and best practice company, how large will fines have to be for more boards to pay attention?

"We're seeing ongoing 'fine inflation' - plainly, fining the Nationwide (building society) 980,000 pounds for a similar thing two years ago wasn't enough, so will three million do the trick? Well, at least we're hitting sums that might begin to put a dent in a banker's bonus," he said.

"However, I expect the FSA will soon have to make good on its threat to personally prosecute directors for such lapses, or else see the issue kicked into the long grass again within months," Calder added.

"What is really disgraceful if how inexpensive these things are to get right. Putting in place the standards, procedures and training that would protect millions of customers costs well under 100,000 pounds for a firm like HSBC - a drop in the ocean for a bank that earns billions from our money," he added.

Back at Cyber-Ark, company director Mark Fullbrook made the closing comment on who will eventually end up paying HSBC's fine:

"That's right, the bank's customers," he said.

 

 

This article is featured in:
Compliance and Policy Data Loss Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water