Records management company Iron Mountain have just published a report on public sector agencies, revealing that around 40% have suffered a data breach. It also noted that information security teams are under-resourced, lacking in the required skills or are performing roles above their grade. Considering the legal implications of a breach, let alone the potential damage caused, these are worrying statistics.
In the UK, the Data Protection Act is a powerful piece of legislation used to protect personal information. While the act has been in place since 1984, it was extensively updated in 1998 and continues to be used to convict individuals, businesses and even charities of various crimes which go against its principles. The most famous example of this being the News of the World phone hacking scandal which hit the headlines in 2014.
In recent decades, the public have become more informed about their rights regarding their personal information. Local government departments such as social services, the police and any other holding personal information have become so frequently bombarded with ‘subject access requests’ and similar queries that most now employ someone solely for this task.
The watchdog set up to monitor compliance with the act is the Information Commissioner’s Office (ICO), who also have the power to take organisations to court and fine them when they are found in breach of the act. High profile examples include SONY who were fined 250,000 in 2012 when the personal data on their PlayStation Network was stolen by hackers and SONY were found to have not taken ‘appropriate technical measures’. Another was the charity British Pregnancy Advice Service, who were fined 200,000 this March for the theft of data obtained through their website. In August this year even the Ministry of Justice was fined 180,000 for the failure to properly protect prisoner information, by not encrypting the data. Interestingly, one of the highest fines documented was Brighton and Sussex University Hospitals NHS Trust, who were fined 325,000.
In a report of ICO audits carried out in 2013, 0% of the local authorities audited were found to have the highest level of data protection assurance, while 56% had ‘reasonable assurance’ and 38% ‘limited assurance’. With regards to web security, one case study was selected as having good practices in place:
‘It uses a computer-aided vulnerability assessment tool to identify risks to the network (eg open ports or missing security patches). The council has recently completed firewall and penetration testing.’
The UK public sector in general has been under particularly high pressure under the current government so it’s important for security solutions to be as straightforward and low cost as possible. Information Security officers can take examples such as the above to put measures in place which satisfy data protection criteria, while remaining within department budgets. To prevent data breaches caused by a hack attack, a vulnerability detection tool (i.e a web vulnerability scanner) can be used to identify any existing flaws and a penetration tester can be brought in from time to time to confirm that web security measures are sufficient.
Apart from mitigating these external threats, it’s vital that staff are trained, proper processes are put in place and that those tasked with information security have the necessary skills and training for the job.