UK Public Sector Data Security Headaches

Reputational damage, financial & compliance failures highlighted as main concerns

UK state and local authorities face an enormous task when it comes to handling, sharing and managing public data and need to develop a more efficient approach to ensure that they are doing all within their power to protect the sensitive information that they control.  Data loss or theft through human error or malicious intent is a costly and damaging occurrence, particularly at a time when increasingly high expectations in public office standards and expenditure are at the forefront of scrutiny.  

An independently commissioned study amongst 227 UK public sector managers on their attitude to information security has revealed that data loss and the consequence of reputational and financial damage to their organizations is posing a serious concern to ICT professionals.  The study was collected from 247 unique public sector organizations including the NHS, City and local Councils, Universities, Trusts, Central and Local Government and the Police. 

MAIN FINDINGS OF STUDY:

• 62% cited accidental data loss as the biggest threat to their security
•  Respondents claimed that the most damaging consequence of data breach were

1. 1. Reputational damage 31%
   2. Financial consequences 20%
   3. Compliance , policy issues 18%

• 50% were concerned that social media channels posed a significant risk
• 90% considered information security to be important when selecting business partners
• 66% believe information security is not only important but a high priority
• 93% frequently exchange information between agencies and business partners with 83% containing sensitive information

The encouraging news from this study is that there appears to be high levels of awareness amongst public sector organizations on the importance of information security and their responsibility in protecting public data.  However, this is marred with genuine concern from the threat, consequence and penalties that arise if an organization fall’s victim to breach.

The survey also suggests that public sector organizations think about security when partnering with other entities but aren't doing enough to secure these relationships.  This highlights the need for better enforcement of security process and policies by collaborative organizations to ensure better protection procedures against data loss and a clearer understanding of joint responsibilities.

All considered the public sector has taken a big step in the right direction however as frequently reported by the ICO (Information Commissioner’s Office), many public sector organizations are still falling short by not taking the risks seriously and failing to implement adequate security measures.

TACKLING THE ISSUE

Through working closely with leading UK Public Sector thinkers, PixAlert  have created an effective strategy for ensuring a common interpretation and application of UK public sector security requirements like the PSN/CoCo standard (Public Sector Network – Code of Communication) in addition to offering an essential data protection, risk assessment and compliance enabling solution. 

PixAlert takes a practical approach to saving vast amounts of time and resources through an efficient and easy-to-use data discovery, classification and continuous monitoring platform which can be configured in accordance with PSN CoCo and other data protection compliance guidelines.  Through client specific controls and protective classification markings, sensitive data can be appropriately stored, handled and secured while continuously assessing obscured risks. 

The solution allows public sector organizations to realise a greater return of investment through enhanced efficiencies which will help to measurably reduce costs and optimise resource time associated with managing critical data entities:

●             Evaluate the true scope of controls and compliance procedures

●             Enforce best practice standards

●             Ensure that key information assets are secure and resilient

●             Reliably protect and manage sensitive data.

Public Sector organizations need to embrace the benefits that can be gleaned through regular auditing practice and understand the broader and more positive implications that this process can deliver when integrated as part of  an overall security programme. By demonstrating this, sensitive public data and the reputation of those responsible for managing it, can be protected; data breach fines averted and optimum performance and efficiency value achieved. 

For further information on PixAlert’s data auditing solutions contact This e-mail address is being protected from spambots. You need JavaScript enabled to view it or gain an immediate insight into data vulnerabilities by testing PixAlert’s free data auditor trial.  www.pixalert.com

Report Source: Clearwater

Article Author: Vivian Cullen This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Date: 29th April 2013

Managing Illicit Network Images - Policy, Process & Enforcement

Research from the Kansas State University on cyber-loafing (wasting work time on the Internet) and the effectiveness of user-policies in dealing with the issue, has found that corporate policy alone isn't a sufficient deterrent in managing cyber-loafing and that a combined effort of sanctions enforced with policy and technology need to be applied.

Cyber-loafing has become a real and persistent problem for many organisations with suggestions that a preventative approach of acceptable use policies (AUP) combined with mechanisms designed to monitor employee internet usage and detect unauthorised usage, is the most effective way to manage the issue.

Employees’ misuse of company computer resources can lead to a host of problems for organisations from lost productivity, wasted computer resources and e-viral infections to serious business interruption, reputational damage and security breaches leading to civil and criminal lawsuits. According to International Data Corporation cyber-loafing (or skiving) is estimated to account for 60% of all online purchases made during working hours and it is estimated that 25% of corporate internet traffic is unrelated to work. 

Security Pros Upbeat on Data Protection & Risk Management Efforts 

According to the annual 2013 SC Magazine Guarding against a Data Breach survey, more IT security leaders than ever think that their organizations are making greater strides in safeguarding critical corporate and customer data. However optimism and good intentions don’t always stack-up particularly when the incidences of security breaches continue to escalate, generating negative publicity and imposing hefty financial penalties on organizations.    With the rise in breach, more respondents to this year's data breach survey agree that the threat of a breach, loss or exposure is greatly influencing their organization's security initiatives. 

From the survey findings, the most significant factor affecting data protection strategy is statutory regulations.  More organizations appear to be realizing the value of proactive data security initiatives and having to be compliant to regulations like PCI DSS, HIPAA and ISO 27002 is driving them to implement improved measures rather than wait for an incident or failing a security audit.

Lacklustre Data Security Practice under Scrutiny

The UK data protection watchdog the ICO have expressed their growing lack of tolerance against shoddy data security practice by calling for more extensive compulsory auditing of local government agencies and in advising businesses to adapt more preventative measures in protecting confidential customer information.   

Compulsory Audits

According to the ICO, compulsory data protection audits of councils and the NHS are needed in order to eliminate basic error.  The Information Commissioner, Christopher Graham told MPs that taxpayers were losing out when public bodies were fined for mistakes in handling sensitive information and said that consensual voluntary audits had in some areas proved a success.

He went onto say that while the UK Department of Health were supportive in principle of audits in parts of the health service he said that the Department for Local Government remained to be convinced and he hoped to persuade ministers of value of audits.  ‘Until local government gets the message, local council taxpayers will continue to be hit by civil monetary penalties for really stupid basic data errors’ commented Mr. Graham.

Being Secure Equates to Smart Business Practice

Recent research from Deloitte has highlighted that firms in technology, media and telecommunications (TMS) are confident that they are safe from cyber attacks and data security breaches.

-          88% of companies surveyed don’t think they are vulnerable to an external cyber threat

-          However 59% have experienced a security incident in the last year

-          Just half have a documented response plan in place

In Deloitte’s sixth annual Global TMT Security Study 68% of companies said they understood their cyber risks and 62% had a programme in place to sufficiently address them. Yet in the past year, over half 59% said they had knowingly experienced a security incident. With this many successful attacks, companies should treat breaches as inevitable and invest significant time and effort in detection and response planning, so that they can bounce back quickly when it does happen.  However, only half of companies have this type planning in place.

Despite initial confidence on being safe from security incidents, 74% voiced concerns over third party breaches, and 70% indicated that employee mistakes were a major threat, with lack of security awareness being cited as a major vulnerability. Only 48% of companies, however, offered security-related training.

The Legal Hazards of Data Breach

The 2012 Ponemon Institute survey of 583 IT and IT US security professionals found that 90% of the organisations they represented had suffered at least one data breach.  Likewise, a recent report from Verizon found that 174 million data records were loss in 855 separate incidents.  In the aftermath of a breach, apart from the damning financial, reputational and operational implications to a business, the consequences also create a myriad of litigation issues which need to be seriously considered when determining how to plan and respond to a data breach.

The laws that apply to data breach litigation are still evolving and until recently, consumer plaintiffs have met with little success in the courtroom, but this could be likely to change as consumers become increasingly aware of their data protection rights and as regulatory laws enforce greater powers.  Courts may soon recognise that individual’s have a reasonable expectation for their personal information to be properly protected and that a data breach violates this expectation.

Identifying the Weakest Link in Data Security Defence

It is widely acknowledged that organisations who make efficient use of their data are better positioned to gain competitive advantage in the marketplace.  Data like intellectual property, sensitive customer information and credit card data can be a huge liability to an organisation if it falls into the wrong hands, is leaked or left lying dormant on a network. 

In helping to improve the efficient use of data while also enhancing data protection and compliance standards, one information security expert claims that organisations need to take heed from the U.S. Department of Defence (DoD).  According to Andrew Serwin, CEO of The Lares Institute, a think tank focused on technology, privacy and information governance, ‘the cyber risk is an asymmetric threat –organised actors who try to use information against us, create an information imbalance to find the weakest link and then attack.’

That weak link may not necessarily be within the organisation. For instance, if a particular supplier doesn't follow the same security protocols as the company, an attacker could penetrate that supplier's defences and from there move up the chain into the network.

Information Superiority -  Optimize Risk

According to Serwin, information and not technology is the underlying threat, and he advocates a doctrine that originated from the DoD referred to as information superiority.  The DoD command and control their information domain, so if applying this theory to private industry, it means prioritising the superior use of information in order to minimise data risk, increase profit, reduce costs and protect against reputational damage.

2012 The Year Of The Breach

A series of serious privacy events relating to the disclosure of government-held information, has led NZ privacy commissioner Marie Shroff to label 2012 ‘the year of the data breach’ within the Commission’s annual report which was recently published.

The report singles out the Accident Cover Compensation’s (ACC) unintentional release of data on more than 6500 clients in March and the more recent leakage in the Ministry of Social Development’s kiosks. ‘The public sector can't afford to be complacent and it’s clear that agencies holding large amounts of personal information need to place greater value on that information asset’ stated Ms Shroff, ‘they need to develop strong leadership and a culture of respect for privacy, as well policies and practices to provide trustworthy stewardship of our personal information at every level of the organisation’ commented Ms Shroff.

UK Local Government Lag Behind Private Industry on Data Protection Compliance

The UK’s information watchdog the ICO has warned that the NHS, local government and Whitehall bodies are falling behind the private sector when it comes to data protection compliance.  It has sparked new concerns about personal data security in the public sector, re-emphasising the ICO’s call for new compulsory audit powers to stop breaches of the Data Protection Act.

In a recent interview, Louise Byers, Head of Good Practice at the Information Commissioner's Office (ICO) said there was an inherent risk in sectors like the NHS and local government because of the extremely sensitive information that they hold. This was one reason why the two sectors were receiving the bulk of data breach fines, which can reach up to £500,000 per penalty.

Enforcing Robust Policies on Workplace Pornography - New Study Identifies Five Common Types of Employee Participation   

Employers must have in place a strict policy regarding pornography in the workplace if they are to avoid legal action from sexual harassment and discrimination charges, according to a study by Craig Cameron of the Griffith University, Australia.  Writing in the International Journal of Technology Policy and Law, Cameron identified five primary methods of what he refers to as pornography participation that require specific policies to protect both employer and employee in almost any jurisdiction.

According to Cameron, technology has allowed pornography to infiltrate the workplace, which now means that employment policies and rules must be put in place to ensure employees can enjoy their legal right to a safe workplace free of sexual harassment and discrimination. He has investigated the problem of workplace pornography from the perspective of Australian employment law but points out that the same technological and social issues are present in almost every country. His findings could point employers in Australia and elsewhere to the creation of a robust policy on the use of pornography in the workplace.

Clock Ticking for Businesses to Face Up To Tougher EU Data Breach Penalties

EU Businesses will face tough penalties for failing to secure personal data under proposed legislation which could see organisations facing potential fines of up to 2% of their turnover for breach of new EU data protection law.  The draft data protection directive, which is due to come into force over the next couple of years, will impose a raft of new obligations on businesses, including a statutory requirement to report data breaches.

Tighter Data Protection Rules

Under the proposed rules, businesses will be required to report any data breaches to regulators within 24 hours and to notify the public if data is at risk.  The move would act as an incentive for businesses to improve the security surrounding their data.  Already within the US, breach notification requirements work as an incentive to tighten security however,  the law only applies to certain types of data whereas in Europe, new legislation will apply to any data type.