Public sector organisations, councils especially, can feel overwhelmed by security concerns, when in actual fact if they had a security assessment they may discover that the majority of their activities require no more than com-mercial good practice to be in place. A security assessment can make sure an organisation’s security measures and resources are proportionate to the actual risk and are invested in the correct places.
There is generally only a limited set of data within a council that requires strong security to be in place, for example around benefit or health records, or ‘at risk’ individuals; information that may also need to be shared between authorities and other services. It doesn’t mean that this level of protection should apply to all information though. Profiling the risk and protecting ac-cordingly is the most effective and cost efficient approach.
Information should be considered in the following way: how valuable or sensitive is it, i.e. what would happen if it was lost, leaked or exposed, and what is the context in which it is used? Is it, for example, only being accessed in a council office, or is it taken home on a laptop, or viewed on a mobile device in a public space?
For most information, take reasonable precautions, in line with the guidance from CESG and GDS. Standard off the shelf ‘COTS’ products and good se-curity practice are perfectly adequate. As long as due diligence, as recom-mended in the Government Cloud Security Principles, is undertaken there is also no reason why you could not host that data in an appropriate public cloud service.
Of course, investing in the right security technology is only part of the answer. People skills and the right processes are at least as important to maintaining responsible data security, so guidance to employees must be given. Make it clear, through a use policy, that where sensitive data is involved, it should only be accessed on a secure network and device, never on an unmanaged personal device, that devices (or paper documents) should not be exposed in public (ever marveled at what people are prepared to leave up on their screens on a train or a plane?) and that confidential phone conversations should be conducted where they can’t be overhead.
Assessing the risk that relates to information depends on, for example, the consequences of its loss, theft or exposure and the likelihood of that happening. For most everyday administrative business there could be inconvenience and embarrassment involved, but not compromise of sensitive personal data, major financial loss or risk to life. Good commercial security practice and suitable people training should provide adequate protection at an acceptable level of business risk and cost.
More sensitive records obviously require extra layers of security; such as en-cryption and restrictions on the ways in which the data can be handled. These are the ‘crown jewels’ of data and should have an appropriate security wrap, in terms of not only technology but also people training and processes. When out of the office, the data should be on a local authority managed device with appropriately secure communication. When the data is stored it should be in a suitably secured UK hosted data centre.
If you are holding information that you are aware is attractive to attackers, perhaps due to its sale value to criminals or potential to enable wider com-promise, treat it appropriately and don’t assume that basic perimeter and anti-virus protection is going to be enough. Fast developing malware does not necessarily carry a signature that standard protections can recognize. It morphs and changes. More proactive ‘next generation’ security services could interrogate and scan traffic, identify anything out of the normal activity pattern, for example, then check it safely removing any suspect payloads.
Bear in mind, though, that no organization can be 100% safe. Hackers and criminal groups have become more refined in their approach. We are now seeing sophisticated multi-pronged attacks, in which, for example, a major attack denial of service is launched and while this is being repelled, another attack in a different area is carried out whilst the subject’s security analysts are distracted.
To stay ahead of the growing threat, organisations should conduct regular audits and assessments to establish what vulnerabilities exist and the value of risk they represent. Each organisation should have a data risk register which is reviewed regularly at board level. It is worth bearing in mind that should a breach occur, it is the council leader, for example, or organisation’s chief executive who will be asked to account for this; for their own reassurance they should ask their chief information officer or chief security officer to give them a comprehensive account of the information held and outstanding risks relating to it not mitigated by existing security measures. If they are dissatisfied with the answers then it is worth getting security arrangements independently reviewed.
BT secures not only our own operations but also those of public and private sector organisations around the world at all levels of business risk. By providing assessments we can also make sure they are aware of risk, threats, compliance and the right level of mitigation. To run a security audit, BT will identify what the appropriate levels of security should be for each sector of your organisation. At a more forensic level, organisations can benefit from a cyber maturity assessment in which BT takes a look at the state of an organisation’s network and IT estate, finds any shortfall or vulnerabilities and identifies solutions.
As well as using a common sense approach to data security, separating it out to differentiate between security requirements makes economic sense, as you are not paying for levels of security that you don’t need. Some councils could be spending overspending on security if a ‘highest common denominator’ approach is applied across the board. Equally, others may have pockets of sensitive information that represent an inadequately protected risk. This is truly a situation in which common sense could save millions as well as better protecting vital information.
Neil Mellor is BT’s Business Development Director for the Public Sector