Experts claim that HSBC fine could have been avoided and more could be on the way
Jon Rolls, vice president of product management at ScriptLogic, claimed that the fining by the Financial Services Authority (FSA) was a clear example of what happens when a company does not take enough responsibility to train staff as part of their security policy and enforce these policies using a variety of access control measures.
Rolls said: “Organisations need to force security policies onto all computers and ensure strong access controls are in place, as well as lock down laptops and restrict use of removable storage, to limit the data users can access or store locally on their computers.
“Yes, in this economy, with dwindling IT budget, it's hard to find money to invest in solutions to put all these controls in place; however the cost of failing to do so is so much higher - and HSBC has found out the hard way.”
"Simple security measures can go a long way in protecting a business' IP, but IT has to put a plan in place to enforce those tactics, and the use of solutions which automate and centralise management of security is essential in order to achieve this in a timely and efficient fashion.”
Steve Moyle, co-founder and CTO at Secerno, claimed that even though no customer has reported any loss from these incidents, the FSA was sending a strong message to all UK financial services firms.
Moyle said: “At issue is how careful HSBC was with the customer data, rather than the outcome relating to these breaches. This last point should be resonating with all financial services firms, as well as those that handle customer data. No HSBC customer experienced a loss from these breaches, but the FSA has still called the company to task for being careless and for failing their customers.
"There is some good news for HSBC in this. By cooperating, they have seen their fine reduced from a potential £4.5 million, savings that can be used for better protection. The bad news for all of us is that the fine was really insignificant in the grand scheme of things. A few million pounds is still only loose change for these organisations, even in these times.”
Mark Fullbrook, UK and Ireland director at Cyber-Ark, claimed that the incident could have been avoided if the banking group made use of digital data vaulting technology.
Fullbrook said: “If the bank had made a modest investment in IBV technology then it could have prevented this embarrassing - and expensive - situation occurring. And you can probably guess who will end up paying for this mistake in the longer term - that's right, the bank's customers."