Joe Public is being forced to pick up the bill for careless public sector organisations and local councils, which incur fines resulting from data breaches. Information obtained under the Freedom of Information (FoI), by IT storage firm Imation, identified that public sector organisations are behind a dramatic increase in the number of data breach incidents, which has seen a rise of 1,014 per cent since 2007.
Figures obtained by ViaSat UK also found that according to the Information Commissioners Office between March 2011 and February 2012, 730 data breaches were disclosed to the organisation, 467 of which were from the public sector and 263 from private companies.
The result was a total of £790,000 in fines against eight local councils in England, Wales and Scotland, but only one, a nominal £1,000 fine against legal firm ACS:Law, levied on a private firm. More responsibility needs to be taken by the public sector to reduce the volume of data breaches. The figures obtained are quite staggering and if I was in anyway connected to the IT departments involved within these breaches I would be highly embarrassed – even from an outsiders perspective they make me quite angry.
Yes, data breaches are nothing new and we now live in a society where cyber attacks are a daily occurrence. However, this still doesn’t excuse the level of incompetence displayed by public sector organisations and local councils, who seem happy to get a slap on the wrist, while we the public are forced to pay for their mistakes.
Ultimately, a greater understanding of data security is needed. These organisations need to focus on the critical control points within their IT infrastructure and where vulnerable data within their systems lie. From this, processes need to be administered as to how data can be protected and how systems can be evaluated and tested to ensure they remain secure.
It’s clear that the current controls in place aren’t working. If you look at firewalls and tokens for authentication, hackers are easily bypassing these – too much reliance is placed on them, with many firms failing to encrypt the data stored in online databases. To tackle this it is now possible for all database records to be fully encrypted while remaining searchable. This means that there are now no excuses for not having the information stored in your databases encrypted.
The focal point to consider in all of this, is that local councils and public sector organisations need to stop saying sorry for their mistakes and actually pay for them themselves. Paying out fines every time there is a breach might reward them a few morality points but in terms of safeguarding and bettering the future positions of their organisations they are a poor substitute. Education, understanding and investment are essential.