Managing information security
James Bindseil examines IT security policy in the public sector and the threats faced.
Public sector IT policy has adapted rapidly to change over the past few years. Many local councils now use cloud services for email and calendars and many others, such as the NHS, use the cloud for data storage and sharing. These changes have been accompanied by a clear increase in risk. According to the Information Commissioners Office (ICO), data breaches have risen by 7.1 per cent between 2013 and 2014. As more and more public sector organisations merge their systems into the cloud, potential hackers and malware become more adaptable too.
Public sector data breaches
When a data breach does unfortunately happen, public criticism is always high. Just recently we saw public outcry when it was revealed that the Birmingham-based company Diagnostic Health had been keeping the details of 10,000 NHS patients unencrypted. The police service has also had its share of problems. The Metropolitan Police Service, for example, suffered 300 data breaches between 2009 and 2013.
Unfortunately, the insecure management of files and data is not a new issue, but the explosion of the cloud and an increasingly mobile workforce has exacerbated the threats for the public sector.
The cloud
The cloud is not nearly as risky an option as many might think. However, it is far from impervious to attack; therefore, a layered security approach part cloud, part on-premises remains the safest means to protect sensitive public sector data.
Storing files offline does come with many advantages. The Coca-Cola Company, for example, stores its secret recipe in a state-of-the-art steel vault in Atlanta in the US, complete with round-the-clock security. With the recipe locked away in a physical vault, potential thieves will be more deterred than if they were given the challenge of accessing the file in the cloud.
Locking files away in a vault is not a viable option for public sector organisations. However, physically taking them offline in an on-premises security solution is still one of the most reliable means to security. Yet, in the modern-day workplace, and within public sector organisations where remote access can be critical, this is not an entirely realistic approach. A good cloud service provider can make its systems secure, but this can be accidentally compromised by the actions of employees.
The remote workforce
Within a public sector organisation with multiple centres across the region, having a remote and mobile workforce is a necessity. Limiting risk is much more difficult when an increasingly remote workforce regularly takes work home on their laptops and mobile devices. By increasing mobility and accessibility, organisations not only increase productivity, but also introduce more risk and provide outside agents like hackers with more access points to get hold of sensitive data, increasing the necessity for strong governance.
Handling of data
The Data Protection Act 1998 was created to protect personal data, such as name and address, and sensitive data, including medical condition, religion and ethnic origin, stored on computers or in an organised paper filing system. Non-compliance runs serious risks.
The security concern in the public sector is that the remote workforce is entrusted with that personal and sensitive data. A number of common practices are threatening the security of data, including the use of public cloud platforms, sending emails across unsecured networks and the use of unencrypted mobile devices:
Cloud-based box file sharing solutions storing sensitive data on consumer-grade systems where there are no options for appropriate security classification is simply irresponsible. The most basic threat these cloud providers pose is that data can be gathered from files on their systems, as is stated in their terms and conditions. Our research has shown that a staggering 45 per cent of employees have used consumer sites for sharing confidential work-based information.
Sending confidential data using a personal email account personal email accounts a