Save content
Have you found this content useful? Use the button above to save it to your profile.

HMRC cybersecurity investment misses the point


HMRC is investing heavily in cybersecurity resources, skills and training – but its investment is focused on its own staff and not where the real problem lies: with us.

2nd Jun 2021
Save content
Have you found this content useful? Use the button above to save it to your profile.

When asked why he robbed banks, Willie Sutton famously replied, “Because that's where the money is.” When considering why cybercriminals target HMRC, the same answer could just as easily apply.

But things are rarely as simple as they appear. HMRC collects a lot more payments than it pays out. While there are potential vulnerabilities that could exist within HMRC if its systems are compromised in any way, it would be simple to spot a sudden change in the pattern of outbound payments.

This is why most cybercriminals are focused on seeking to intercept funds being paid into HMRC – most commonly by seeking to impersonate HMRC or spoof its systems. HMRC is well aware of this and actively seeks to shut down spoof sites all the time. 

HMRC is one of the most impersonated organisations in the UK for cyber scams – Covid-19 has sparked a 73% surge in HMRC-branded phishing scams.

More needs to be done to prevent this kind of fraud as, unlike the private sector, organisations that we all trade with, HMRC ultimately answers to us – the taxpayers – and should be doing more to protect us.

Getting its own act together

HMRC recently announced that it had spent £262,251 on cybersecurity training for its staff over the last two financial years. As an indication that it is taking the cyber threat seriously this is to be applauded, but the way in which it was invested is revealing: 

  • All HMRC staff (approx. 9,500 according to the FOI response) were made to complete a compulsory course on ‘Phishing attacks’, which was free of charge.

  • 12 members of the Chief Digital and Information Officer Group become certified in the Art of Hacking (at a cost of £15,978).

  • Seven staffers did a residential course to become a Certified Cloud Security Professional (at a cost of £34,103).

  • 11 staffers went on a six-day boot camp to become a Certified Information Systems Security Professional, two trained to become certified in Ethical Hacking, and nine enrolled in an ‘introduction to Cyber Security’ course (this accounted for the bulk of the training budget).

About 80% of all threats can be countered by a combination of phishing training and the implementation of multi-factor authentication (MFA) on systems like Office 365 (take note). It is therefore great to see that all HMRC staff have had phishing education and that this was at no cost to the taxpayer.

Understanding how hackers think and work is potentially useful, but it is not clear how being certified in Ethical Hacking is of real value. Normally organisations get independent ethical hackers to conduct penetration testing. 

The reason for this is that your own staff tend to focus mainly on the systems and vulnerabilities that they are already aware of, whereas independent contractors will have a fresh perspective and seek to gain entry by other means. They are thus far more likely to uncover vulnerabilities that HMRC is not yet aware of and is unlikely to find on its own.

However, the fact remains that hackers are almost all focused on seeking to intercept funds being paid into rather than out of HMRC. And given that there has been a recent 73% spike in HMRC-branded phishing scams, many related to Covid-19, it means that this is where HMRC’s real focus should be.

HMRC needs to step up its awareness campaign to warn taxpayers of the danger from such scams and possibly also needs to extend its free phishing training to them as well.

Replies (5)

Please login or register to join the discussion.

By flightdeck
03rd Jun 2021 09:52

For an organisation of that size (66,000 people work there) those staff training numbers are miniscule.

And "nine enrolled in an ‘introduction to Cyber Security’ course (this accounted for the bulk of the training budget" also shows us that, again, relative to their size they are putting basically no meaningful resources into security.

Thanks (1)
By [email protected]
03rd Jun 2021 10:00

£262K for an organisation the size and complexity of HMRC? They must spend more on coffee and biscuits than that!

Thanks (3)
By OrmeGoat
03rd Jun 2021 10:08

Marketing bull****.

Thanks (1)
By johnjenkins
03rd Jun 2021 11:48

The scammers don't just do HMRC and tax payers. The reason why they have had more success with HMRC is that people are more afraid of authority and tend to do what they say.
Is our technology in this country so poor that we can't find out who the scammers are and do something about it? The answer has to be banks as they are normally the ones where the money magically disappears in.
Although I've heard of a new one to do with Government grants whereby you go down to Asda and buy a voucher, scratch off the number and phone it through to the scammer so you can claim your grant that doesn't need to be repaid.

Thanks (1)
By Hugo Fair
03rd Jun 2021 11:50

Despite the title (with which I agree), the article also misses the point (or rather several of them)!

The mistakes supposedly tackled via this 'investment' are like awareness training, which might be a first step but is hardly going to change the near-daily breach of guidelines by more junior staff (and not just in HMRC) that percolate through to the systems encountered by the public.

Due to its non-ministry status, there is no real oversight of HMRC and very little evidence of effective governance (particularly regarding all aspects of its interaction with the public).

I've no idea of its budget or processes for 'dealing with phishing scams', but I've yet to see evidence over the last 10 years when using their report-a-scam email address of it ever leading to any action.

In the meantime, as ignored by the article, the vast majority of these scams are not aimed at diverting funds being paid to HMRC, but to identity theft ... and this will only increase if HMRC insist on introducing (with little advance warning and no thought for security) policies that require individuals to send copies of their passport and other docs to an anonymous Dropbox, whilst warning them they have only days to comply. This might just as well have been copied out straight from the bad guys handbook!

Thanks (2)