Private vs. public sector IT security: more dedicated staff, yet less awareness

According to recent data, the private sector lags behind with regards to data protection, while public sector organisations lead the way. David Cowan explains how firms can improve their IT security and avoid losing money, clients and reputation.

 

A recent survey commissioned by the Information Commissioner’s Office (ICO) revealed that there is a remarkable difference between the public and private sector’s approach to Information Security. The data contained in the research carried out by Social and Market Strategic Research (SMSR) showed that, in fact, the public sector was much more aware of the Data Protection Act principles compared to the private sector.

When asked to identify, unprompted, the main principles contained in the ACT, the 7^th Principle ‘Personal information is kept secure’ was mentioned by 60% of public sector organisations, compared to only 48% of private firms. However, a more shocking divide can be found in the awareness of the Information Commissioner’s Office’s existence: 42% of private firms had not heard about it at all, a percentage that actually increased from the previous years – yet this was not the case for public organisations, where only 3% were not aware of the UK’s independent authority set up to uphold information rights in the public interest.

A lack of awareness, however, does not prevent the majority of private sector firms from having more than 10 members of staff dedicated to information security-related duties, compared to an average of 2 in public sector organisations. Quantity is not directly proportional to quality, it seems.

In reality, the public sector has had more reasons to be more data protection-savvy due to handling large volumes of personal and sensitive data. The private sector should start following their example. Regulations have become stricter and ICO fines are tougher, with the authority now able to impose a fine of up to £500,000 for a serious breach. It is important, then, that all firms improve their awareness of information security and that they have an efficient system in place for protecting personal and sensitive information, and to deal with any breach in the most appropriate manner.

Private organisations which deal with sensitive and confidential data – such as banks and law firms – should take these results as a wake-up call and an opportunity to learn from the public sector. They are in fact the most at risk of suffering major consequences in case of a breach of the DPA.

Critically, it is important to understand the steps for improving Information Security. First of all, it is vital that organisations are aware of their information assets and the associated risks. They can do this by conducting an assessment of their Information Security Management System, in particular the controls surrounding the information assets of the organisation. This can then be assessed against the international standard for Information Security ISO 27001, to identify any weak points, possible corrective actions and areas of risk.

Once these have been identified, it is possible to plan remedial work which covers policies, procedures and technology, as well as staff education and awareness, implementing it on a continuous cycle. It is important to note that documents and technology alone are not enough to guarantee an improvement; however, they can minimise information security risks.

Staff commitment, from senior management to the most junior employees, is the key to make all the controls and procedures work. If staff are not made aware of policies and procedures introduced, or are not willing to collaborate, perhaps because they do not understand why they should change the way they have always worked, then no amount of technology can keep an organisation in line with the appropriate standards and regulations.

At the same time, management need to take strong ownership and underline the importance of data protection with a clear Information Security statement; their strategy should include disciplinary actions for whoever does not adhere to the policies. Investing time and effort in prevention will pay off more than insurance, as the latter may reduce some of the damages although not the most important cost – the organisation’s reputation.

It is undeniable that although data security risks can be minimised, they cannot be completely eliminated – there will always be a human or technical error that results in sensitive data being lost, destroyed or disclosed. This, unfortunately, can happen in both the public and private sector, often even when all the appropriate measures are in place. For that, you can only act accordingly to the associated risks, for instance by allowing data to protect itself not only through encryption, but through the implementation of a data classification system that restricts access to unauthorised viewers.

Information Security is not a final destination; instead, it is a never-ending journey where everyone from senior management to service desk engineers commits to an ethos in order to protect personal information from loss, leakage and theft in a manner which is proportional to the identified risks.

 

David Cowan, Head of Consulting Services

This article is published on Infosecurity UK: http://www.infosecurity-magazine.com/view/16319/comment-public-vs-private-sector-information-security/

Data security: controlling the risks – The EGB Masterclass

by Dan Jellinek, E-Government Bulletin

Public sector information security breaches often hit the headlines, but are public bodies really any worse than private sector in this area? What are the main risks, now and in a future of ‘any time, any place’ access to systems through cloud computing, and how can they best be tackled? We ask David Cowan (pictured), Head of Consulting at IT services provider Plan-Net.

Q: What are the main areas of risk for public bodies in keeping their data secure?

A: Public bodies are subjected to a plethora of regulations, standards and frameworks on data security due to the nature of the information they hold, and the associated risks of handling the sheer volume of personal or sensitive data. The main areas of risk are staff failing to observe the organisation’s information security procedures; malicious activity from both internal and external sources such as staff unlawfully selling or obtaining personal data and external threats from fraud, or from crime syndicates or rogue groups using ‘phishing’ or social engineering; and organisations and staff not being aware of their legal obligations, such as the legal obligation to report an information security breach under the Data Protection Act.

Q: What is the scale of risk faced by public bodies?

A: It is difficult to quantify the scale of the risk, but even with all the controls, standards and regulations in place to reduce risk, it is still not possible to eradicate it altogether. The size and geographical spread of public sector organisations increases the risk of data leakage and malicious activity occurring, as does the reliance on recording personal information within huge databases across the public services.

Q: What are the potential consequences of security breaches?

A: The greatest risk to an organisation is the potential reputational damage which could occur as a result of an information security incident reaching the public domain. The Information Commissioner’s Office is now empowered to hand out large fines of up to £500,000 for serious breaches of the Data Protection Act, and there is the possibility of criminal prosecution depending on the severity and scale of the breach. Public bodies could even lose access to public sector frameworks and IT networks as a result of a perceived systematic breakdown in their processes and procedures. The impact on individuals and society could include a lack of trust in public sector organisations handling their personal information; loss of productivity; and individual distress or harm caused by a breach.

(Read the rest of this interview on E-Government Bulletin issue 329: http://www.headstar.com/egblive/?p=771 )