Beware the breach
This article first appeared in Local Government Executive on 26 October 2015.
Protecting the confidentiality of data held by local authorities and public sector organisations is a critical priority, especially as we enter a period of uncertainty about how our ageing national IT infrastructure is going to survive the coming ‘internet of things’ – and the onslaught of attacks that will follow.
Unfortunately, many authorities are already falling short of the required standard. Between June 2013 and April 2015, the Information Commissioner’s Office issued 28 penalties for serious contraventions of the Data Protection Act; of these, local councils received five, and publicly funded organisations received 14 – meaning that between them, they accounted for over 67 per cent of serious data breaches.
Worryingly, findings from a recent Freedom of Information request by Six Degrees Group also showed that over a two-year period, 55 per cent of local authorities suffered a breach, and that 60 per cent of these were unaware of how much sensitive data they held, or even where it was kept.
Consequently, there is an urgent need for managers to integrate, optimise and audit data security. Fortunately, systems are available that can largely automate this process – a must for the already overworked IT department.
How are local authorities going to protect themselves – and their data – from breaches?
Well-used services such as ShareFile, Dropbox, Google Drive and SharePoint can only guarantee protection of exchanges between clients and servers – not between the communicating parties themselves. In short, this means that there would always be the possibility of a data breach because there would always be a gap in the encryption.
The very best defence is provided by custom-built software and equipment that gives users full control over their platform without any outside interference. But a strong defence isn’t effective if authorities don’t know where the data is. This means that solutions should offer detailed file auditing and tracking, alongside rich security features such as end-to-end encryption and zero-knowledge privacy, which ensures the uninterrupted storage and sharing of data without the possibility of it being read by unauthorised parties.
Because local authorities and public sector organisations hold data that could be a lucrative target for cybercriminals, stringent safeguards are needed to protect them against breaches. This is especially true when you consider that a growing trend over recent years has been the uptake of agile, home working and remote access, coupled with employees bringing their own devices such as smartphones and laptops into the workplace. This can pose a huge risk to network security, unless data confidentiality is taken seriously – and that is a legal obligation. Under the Data Protection Act, individuals can expect that their personal data will be treated appropriately and it will not be misused or disclosed to unauthorised parties.
All local authorities should have an information security programme that follows the Government security policy framework and risk assessments for their data that cover the requirements of HMG IA Standard No.1, which together will help to ensure compliance with the regulations covering the management of data, and to neutralise emerging risks such as the increased use of personal devices at work. Ideally, a designated security officer should be appointed, the risks identified and policies and procedures put in place to mitigate them. Compliance to these standards should be stringently enforced and staff should be made aware of their responsibilities, supported with education and training.
Even when authorities have secured their own devices and workforce, care should be given to choose the right partner for data and security management. Your goals should be clear so the provider – who should have recognised security certifications – can understand your environment and guide you through compliance requirements.
You should also research a partner’s past performance and industry reputation, as the best will not have any breaches of customer data, instead protecting their client’s confidentiality through the use of leading-edge technology and robust security controls. The provider should be upfront and transparent with how their system works and how it is secured. They should publish their compliance data and promptly deal with any bugs or vulnerabilities reported to them.
In addition to the security aspects of a partner’s service, you should be happy with the technical support provided; are you going to be pointed to a public support forum if you have an issue or are they going to pick up the telephone and talk through it?
Cloud computing is now a viable commercial option for local authorities due to advancements in security and technology, reduced cost and the Government’s drive to move traditional infrastructure on to the cloud. The Cloud Industry Forum expects 2015 to see cloud adopters increasing by 15 per cent.