Jonathan Lloyd-White, director of security and information at HMRC, was speaking at a conference hosted by thinktank Reform in London last week, where he was unexpectedly candid on the group's information security practices, detailing everything from its new phishing training programme and support for security from the board, to using Apache Hadoop and the launch of its new Cyber Security Command Centre.
Lloyd-White spoke openly about all the changes, and was especially keen to highlight the importance of data security, especially in light of all the personal information it collects from taxpayers each year.
“We sit on quite a lot of data; personal tax affairs, business accounts, pensions, payrolls…pretty much everything about you and the world you're in. It's a very large amount of data that we hold. So you can imagine that security is kind of important to us,” he said, before indicating that HMRC being part of the critical national infrastructure.
He spelled out the seriousness of it just moments later: “HMRC takes security very, very seriously. It's in our DNA, its part of our legislation and enshrined in the Commissioner Revenue and Customs Act. It means if I call it wrong, I can up in jail for two years.”
Nonetheless, he added: “We have a very strong security culture in HMRC, we have a good reporting culture, we have long conversations about security in the organisation all the time, and I have a lot of conversations with my board on security – I don't have to shout to get attention on the subject, which I think is great.”
“We spend a lot of time talking board level at risk appetite and how we keep pace with technology change. I also held board members to account for their performance in the area of security.
“So it's definitely part of our agenda all day every day…but we have to balance that with aim to provide excellent customer service and experience online.”
Part of this online experience ties in with the government's intention to offer more digital services, and Lloyd-White says that HMRC is aiming to make “your data as open as we can”.
“We're also trying to stop the bad habit of asking for your data over and over again, and collecting it from one place so we don't keep asking the same questions.”
Consequentially, the taxman has consolidated all of its data into one place on Apache Hadoop, so they can take “12 hours to analyse and integrate all that data more effectively.”
“That brings security challenges as you can imagine, putting all analytical data in one place, but also provides huge opportunity for security improvements,” said Lloyd-White, who is also head of the security profession across UK government.
“So, we're really innovating in this area, bringing in new encryption and tokenism techniques, which allows me, as security director in HMRC, to have much more granular view of what going on in analytical environment so can allocate data access to specific people in much more refined way than in the past.”
He continued that HMRC is using big data analytics to “see what's happening across networks”, as well as monitoring to understand fraud and “what's happening on our boundaries”. On the latter, he said: “It allows us to warn customers where we see things like out of date browsers or potential malware. We have process now for alerting customer where they are victim of fraud.
Lloyd-White also confirmed the existence of the new Cyber Security Command Centre, and a clever phishing training programme which other companies may seek to copy.
“Were also investing in a Cyber Security Command Centre that brings all that monitoring into one place and gives us really sharp focus of what is happening on our networks and way we weren't able to do in the past," he said at the time.
He added on the phishing training that he and his team would "send out fake phishing emails with a link. If they click on the link, that takes them to the training package."
A spokesman later confirmed to SCMagazineUK.com that “the exercise started in spring 2015 and is still ongoing”, adding that the new Centre is designed to "safeguard our online services and networks against hackers and other threats."
“HMRC already has good cyber defences but, as the largest provider of online services in government, we are a high-profile target for cyber-criminals.
“In early 2015 we launched a new Cyber Security Command Centre to safeguard our online services and networks against hackers and other threats. The Centre carries out extensive monitoring in real time to protect against, detect and respond to cyber threats including opportunistic cyber threats or targeted intrusions.”
Quizzed on the use of the open-source Apache Hadoop software framework, the spokesman added: “Being able to do more with the data we hold, and faster, is crucial to delivering our ambitious plans to digitise services.
“A new Enterprise Data Hub (EDH) will be at the heart of data analytics in HMRC. We're currently consolidating the data from all of our legacy data warehouses into the EDH, which will use advanced security solutions to keep the data safe.
“By joining up and analysing data that we hold, we will be able to tailor services that we offer our customers to help the honest majority get their tax right, whilst allowing us to identify those who deliberately fail to pay what they owe.”
When asked about staffing, the spokesman said that HMRC had recently recruited "five new cyber-apprentices", while SC notes that the tax office is also currently recruiting for a cyber-security senior analyst. Speaking at the conference, Lloyd-White was keen to point out that the office is "much more diverse" than it used to be, albeit there is "still a long way to go."