HMRC cybersecurity investment misses the pointby
HMRC is investing heavily in cybersecurity resources, skills and training – but its investment is focused on its own staff and not where the real problem lies: with us.
When asked why he robbed banks, Willie Sutton famously replied, “Because that's where the money is.” When considering why cybercriminals target HMRC, the same answer could just as easily apply.
But things are rarely as simple as they appear. HMRC collects a lot more payments than it pays out. While there are potential vulnerabilities that could exist within HMRC if its systems are compromised in any way, it would be simple to spot a sudden change in the pattern of outbound payments.
This is why most cybercriminals are focused on seeking to intercept funds being paid into HMRC – most commonly by seeking to impersonate HMRC or spoof its systems. HMRC is well aware of this and actively seeks to shut down spoof sites all the time.
HMRC is one of the most impersonated organisations in the UK for cyber scams – Covid-19 has sparked a 73% surge in HMRC-branded phishing scams.
More needs to be done to prevent this kind of fraud as, unlike the private sector, organisations that we all trade with, HMRC ultimately answers to us – the taxpayers – and should be doing more to protect us.
Getting its own act together
HMRC recently announced that it had spent £262,251 on cybersecurity training for its staff over the last two financial years. As an indication that it is taking the cyber threat seriously this is to be applauded, but the way in which it was invested is revealing:
All HMRC staff (approx. 9,500 according to the FOI response) were made to complete a compulsory course on ‘Phishing attacks’, which was free of charge.
12 members of the Chief Digital and Information Officer Group become certified in the Art of Hacking (at a cost of £15,978).
Seven staffers did a residential course to become a Certified Cloud Security Professional (at a cost of £34,103).
11 staffers went on a six-day boot camp to become a Certified Information Systems Security Professional, two trained to become certified in Ethical Hacking, and nine enrolled in an ‘introduction to Cyber Security’ course (this accounted for the bulk of the training budget).
About 80% of all threats can be countered by a combination of phishing training and the implementation of multi-factor authentication (MFA) on systems like Office 365 (take note). It is therefore great to see that all HMRC staff have had phishing education and that this was at no cost to the taxpayer.
Understanding how hackers think and work is potentially useful, but it is not clear how being certified in Ethical Hacking is of real value. Normally organisations get independent ethical hackers to conduct penetration testing.
The reason for this is that your own staff tend to focus mainly on the systems and vulnerabilities that they are already aware of, whereas independent contractors will have a fresh perspective and seek to gain entry by other means. They are thus far more likely to uncover vulnerabilities that HMRC is not yet aware of and is unlikely to find on its own.
However, the fact remains that hackers are almost all focused on seeking to intercept funds being paid into rather than out of HMRC. And given that there has been a recent 73% spike in HMRC-branded phishing scams, many related to Covid-19, it means that this is where HMRC’s real focus should be.
HMRC needs to step up its awareness campaign to warn taxpayers of the danger from such scams and possibly also needs to extend its free phishing training to them as well.
You might also be interested in
Founder and CEO of CrisisTeam.co.uk (SiliconANGLE global Startup of the Week – May 2019), an elite team of experts in incident response, cyber law, reputation management and social influence that help clients minimize the impact of cyber incidents. Previous cloud strategist at UKCloud (the...