After years of embarrassing data breaches and worrying cyber attacks, cyber security is finally rising up the government agenda. Over the next four years, £650 million is expected to be spent establishing a new National Cyber Security Programme. Such funds are required to not only help keep the government, but also UK businesses and the public safe from the countless security threats.
In a bid to save £1.7 billion a year, the Government is throwing its backing behind the ‘digital by default’ strategy. In order to see these cost-savings, the Government aims to make many services available online, thereby saving money and increasing efficiency. It’s a great idea and certainly the only option for a progressive country. After all, 82 per cent of the UK population are online and this number will only rise over the coming years.
With this backdrop set, Clearswift recently surveyed 277 people across public sector organisations to uncover their attitudes towards information security. Here we look at some of the findings from the research.
Perhaps unsurprisingly, accidental data loss is perceived as the biggest threat to organisations, with 62 per cent of respondents selecting it as their main concern. Essentially, they have data on everyone in the country, so they have a lot to lose. They also face particularly harsh financial penalties if they fall victim to data breaches which can act as a tool to encourage the development and adoption or secure policies and practices, even if it is somewhat forceful.
In the event of a data leak, the greatest worry the respondents had was about reputational damage to the organisation (31%) followed by financial consequences (20%), with policy or compliancy issues coming in third (18%). However, it is interesting to note that virtually no one considers this type of data loss to be a threat to national security.
This statistic is alarming when you consider the Government’s recent call to action and cyber strategy. Nevertheless, it is understandable, given the general level of confusion surrounding the definition of critical information and how to best respond to cyber-attacks.
Arguably, the most interesting trends revealed by the survey are those relating to organisations’ attitudes to social media and third parties. There is no doubt that social media is fast becoming entrenched within organisational communication strategies, but there is still a great deal of confusion surrounding its application and function.
Half of respondents are concerned that social media channels could pose significant risks to their IT security. And yet 38 per cent do not have an organisational strategy in relation to their outbound communication technologies. This simply opens the door for damaging mistakes to be made.
The vast majority (90%) of respondents consider information security to be important when selecting business partners or third-party collaborators. What is alarming is that ten per cent don’t. This is a rather foolhardy approach to security, especially when you consider that 84 per cent of information exchanged with third parties was described by our respondents as ‘sensitive material’.
The research has shown that despite a greater understanding of security requirements for the sector, there is still a shortfall when it comes to dealing with third parties and social media. With the increasing reliance upon social media, as well as outsourcing and money saving within organisations, security can often take a back seat. This simply should not be the case.
So what should public sector organisations do when it comes to implementing information security strategies?
It is clear that public sector organisations are aware that failure to manage security can result in serious damage: not only to reputation, but also financially. Increasing staff awareness and training is one of the most cost effective ways of reducing the data loss risk and improving the organisation’s security posture.
Putting additional policies in place – especially those around data sharing with third parties and use of mobile devices (specifically BYOD) – without educating staff will simply fail to reap the desired results. Instead, education must take place at every level of the organisation, from the very top down – and outwards, too – to partners, suppliers, consultants, other third parties and even the ‘customer’ (citizen).
Last but not least, the research highlights an urgent requirement for improved information governance to track the information that’s created and shared. IT security is no longer focused solely on records sitting in a database – it’s about the diversity and fluidity of information, the communication channels and the social networks used to disseminate it.
New, and better, ways of working must be explored and developed. The path to robust information security in 2013 involves training, education and awareness, coupled with stringent, paper-based and technology policies, for both employers and employees alike.
Taken in its entirety, our research shows that the public sector has taken a large step in the right direction when it comes to matters of information security… But there is still work to do. Clearly, some public sector organisations are still not taking the risks seriously or understanding the consequences of not putting adequate measures in place. These are the ones we are likely to hear about in the future and most likely for all the wrong reasons.
Start today – review current security policies and identify gaps that have crept in because of new working practices such as those around BYOD and social networking use. Put an action plan together, with a timeline to fill the gaps. Communicate the new policies and make employees aware of the potential consequences relating to brand damage and legislative fines should they not be adhered to. Start building an information aware workforce who are fully aware of security issues and ways to ameliorate them.