Many organisations worry that the data collection involved in concepts like the ‘Smart City’ will embroil them in an Orwellian nightmare of data security management. It should comfort public sector leaders to discover that it’s actually all about priorities.
In an increasingly digital world, public sector organisations can feel overwhelmed by security concerns, without fully understanding what is required of them in this area.
There is generally only a limited set of data within a council that requires strong security to be in place, for example around benefit or health records, or ‘at risk’ individuals; sensitive information that may also need to be shared between authorities and other services. It doesn’t mean that this level of protection should apply to all information though.
Profiling the risk and protecting accordingly is the most effective and cost efficient approach. Carefully considering value and sensitivity of your data is key. Is it only being accessed in a council office, is it taken home on a laptop, or viewed on a mobile device in a public space?
Assessing the risk that relates to information depends on, for example, the consequences of its loss, theft or exposure and the likelihood of that happening. For most everyday administrative business there could be inconvenience and embarrassment involved, but not compromise of sensitive personal data, major financial loss or risk to life.
In most cases, a data-security assessment will reveal that a local authority requires commercial good practice as recommended by CESG and in line with the relevant Codes of Connection for government services, with no additional measures necessary. This good security practice and suitable people training should provide adequate protection at an acceptable level of business risk and cost.
A security assessment of this kind is a great first step for local authorities that are working out how to manage their data-security requirements. The process ensures an organisation’s security measures and resources are proportionate to the amount of risk that exists, and are invested in the correct places.
Securing public services
At BT, we secure not only our own operations, but also those of many public and private sector organisations around the world at all levels of business risk. By providing assessments we can also make sure customers are aware of risk, threats, compliance, and the right level of mitigation..
At a more forensic level, organisations can benefit from a cyber maturity assessment in which we take a look at the state of an organisation’s network and IT estate, find any shortfalls or vulnerabilities and identify solutions.
For the majority of information, take reasonable precautions in line with the guidance from CESG and GDS. Standard off the shelf ‘COTS’ products and good security practice are generally perfectly adequate. As long as due diligence, as recommended in the Government Cloud Security Principles and Cyber Essentials, is undertaken there is also no reason why you could not host that data in an appropriate public cloud service.
Investing in the right security
Of course, investing in the right security technology is only part of the answer. People skills and the right processes are at least as important to maintaining responsible data security, so guidance to employees must be given. Make it clear, through a use policy, that where sensitive data is involved, it should only be accessed on a secure network and device, never on an unmanaged personal device, that devices (or paper documents) should not be exposed in public (ever marveled at what people are prepared to leave up on their screens on a train or a plane?) and that confidential phone conversations should be conducted where they can’t be overhead.
More sensitive records obviously require extra layers of security; such as encryption and restrictions on the ways in which the data can be handled. These are the ‘crown jewels’ of data and should have an appropriate security wrap, in terms of not only technology but also people training and processes. When out of the office, the data should be on a local authority managed device with appropriately secure communication. When the data is stored it should be in a suitably secured UK hosted data centre.
If you are holding information that you are aware is attractive to attackers, perhaps due to its sale value to criminals or potential to enable wider compromise, treat it appropriately and don’t assume that basic perimeter and anti-virus protection is going to be enough. Fast developing malware does not necessarily carry a signature that standard protections can recognise. It morphs and changes. More proactive ‘next generation’ security services could interrogate and scan traffic, identify anything out of the normal activity pattern, for example, then check it safely removing any suspect payloads.
Staying ahead of the game
Bear in mind, though, that no organisation can be 100 per cent safe. Hackers and criminal groups have become more refined in their approach. We are now seeing sophisticated multi-pronged attacks, in which, for example, a major denial of service attack is launched and while this is being repelled, another attack in a different area is carried out whilst the subject’s security analysts are distracted.
To stay ahead of the growing threat, organisations should conduct regular audits and assessments to establish what vulnerabilities exist and the value of risk they represent. Each organisation should have a data risk register which is reviewed regularly at board level. It is worth bearing in mind that should a breach occur, it is the council leader, for example, or organisation’s chief executive who will be asked to account for this; for their own reassurance they should ask their chief information officer or chief security officer to give them a comprehensive account of the information held and outstanding risks relating to it not mitigated by existing security measures. If they are dissatisfied with the answers then it is worth getting security arrangements independently reviewed.
As well as using a common sense approach to data security, separating it out to differentiate between security requirements makes economic sense, as you are not paying for levels of security that you don’t need. Some Councils could be spending overspending on security if a ‘highest common denominator’ approach is applied across the board. Equally, others may have pockets of sensitive information that represent an inadequately protected risk.
This is truly a situation in which common sense could save millions as well as better protecting vital information.
Neil Mellor, Public Sector Channel Director for Security at BT
Image Credit: Shutterstock/Titima Ongkantong