Public sector security is a recurrent headline-grabber, and frequently not for the right reasons. Organisations, such as Local Authorities (LAs), have an important responsibility to safeguard the large amounts of public data that they hold.
Whether this relates to social care services, education, council tax or marriages, it is imperative that it is protected and kept out of the public domain.
This, however, is sometimes not the case. In the past two years, for example, 55% of UK LAs have suffered breaches of their official data. Of this group, the problem ranges from those that experienced just a single breach, to one LA at the extreme end of the spectrum that suffered 213 data breaches in the same period.
Although 34% said they had suffered no data breaches in the last two years, these statistics show the surprising lack of protection of personal data at a local government level.
> See also: UK public bodies accidentally leak private data at least once a fortnight
If breaches were the only data protection issue which needed to be addressed on this level, fixing that problem alone would be a significant challenge. The trouble is, the gaps in security simply don’t stop there as many LAs don’t appear to understand the data they hold, which is worrying.
Recent Freedom of Information requests, returned by over 300 of the UK’s 433 LAs, revealed that over 60% of them don’t know how much official, classified sensitive data they hold; or where it is kept.
The research further revealed that 66% of LAs are unable to report on how much of the data they store is sensitive and, if it is, how it should be managed in relation to the new CESG official security classification guidelines.
The new security classifications (‘official’, ‘secret’ and ‘top secret’) were introduced by central government in 2014 to replace the Impact Level (IL) ratings. This change seems to have caused some confusion as many of the LAs appeared unsure of the mapping from ‘IL2/IL3’ to ‘official’ which is likely reflected in their data governance plans.
UK councils appear to lack comprehensive knowledge of security measures and are unaware of the options available that would both enable and improve the protection of their official data.
For example, there is a lack of clarity surrounding the whereabouts of ‘official’ data, with 61% of respondents unable to say whether theirs is held internally or externally. Only 2% reported that at least half their ‘official’ data was held in the Cloud, with 37% storing the majority of their data ‘on-site’.
Over half of UK councils are struggling to implement measures that will enable them to optimise, enforce and measure data security. When asked about their approach to security audits and their use of accredited security consultants, 45% revealed that they had no record of whether a security audit had taken place in the previous two years.
When asked whether they had used an accredited CESG consultant as part of their security compliance strategy over the same period, over 60% of respondents had no record of using one at all, with 39% using the CESG Listed Advisor Scheme (CLAS) on fewer than five occasions.
Room for improvement
This insight reveals a huge gap in the approach to data security within LAs across the UK, with a worrying majority lagging in their understanding of the actual position they are in, let alone bringing protection up to standard.
Less than half of them classify their data to an officially recognised standard and have regular audits in place to protect their data. The rest are struggling – breaches are commonplace – and what is equally as worrying is the serious lack of insight they have into their own situation. These LAs need to act very quickly or more sensitive public data will be lost to potentially criminal sources.
It would appear that in many cases, LAs are not getting the guidance they deserve, and need help in order to prevent additional future breaches.
They typically haven’t got the resource or expertise that larger central government organisations have and often need help from specialists, such as those from Managed Service Providers (MSPs) and CLAS consultants, in order to keep their citizen data safe.
LAs also need to broaden their use of secure cloud-based services and technology to help them ensure that they are able to deliver improvements in data protection.
The Data Backup, Disaster Recovery and Business Continuity capabilities that are supported by cloud services provide the security and resilience that underpin data protection and the prevention of breaches.
An understood and well-designed cloud service builds a core part of a compliance plan that is in line with mandatory CESG data compliance requirements.
There are many options available to LAs to help them improve their data protection, but how many more data breaches will it take to drive these changes forward?
Research carried out by Six Degrees Group, 2015. Data sample: Freedom of Information Requests sent to 433 UK Local Authorities, research completed by March 2015. Replies received from 302.