Data security and the public sector: it never rains but it pours

Opinion by Denis Sennechael

On the face of it, you might be tempted to say that the public sector gets more than its fair share of data breaches, and following the spate of fines from the Information Commissioner's Office (ICO) this month, there is clearly an issue here.

On the face of it, you might be tempted to say that the public sector gets more than its fair share of data breaches, and following the spate of fines from the Information Commissioner's Office (ICO) this month, there is clearly an issue here.

Public sector organisations frequently employ large numbers of people carrying out a large number of diverse roles. Naturally, the more people that an organisation has, the trickier it becomes to manage the IT systems for all employees.

It quickly becomes a complex web of files, applications, access rights and communications tools; the juggling act that IT departments and CIOs in the public sector face are no doubt huge.

However, the news from Cheshire East in particular highlights the risk that human intervention can bring to data security and the need for organisations to ensure that employees have the right tools for the job.

To recap: rather than sending a sensitive email through the council's secure system, an employee sent it using her own webmail account. The email contained information on an individual the police had concerns about. Due to it being sent over an unsecured system, the email was seen by a further 100 recipients where it would otherwise have been blocked.

Tellingly, the employee claims that the reason she sent it in this way was because the intended legitimate recipient did not have an appropriate email account to receive the information, and that using the council's secure email system would have prevented the information from being sent as intended.

Being able to transfer data from one place to another is essential to the running of any modern organisation; and with many organisations spread over large areas and increasingly taking up remote working, it would be unfeasible to work without quick and efficient data transfer.

However, there is no reason for it to be insecure. Cheshire East clearly had an email system that was secure, but the problem was that it was obstructive to the performance of day-to-day tasks.

It is absolutely vital that employees are empowered and able to follow data-protection policies. It is utterly self-defeating to have an excellent data-security policy if it is combined with technology and software that interfere with following it.

For example, an organisation's requirement for all files to go through its encrypted email servers becomes completely redundant when the files being transferred are too large to be transmitted or can't be received by the recipient.

This kind of technical deficiency is exactly what frustrates employees and leads them to use insecure channels to carry out their jobs, as was the case in Cheshire East. An email security system that interfaces into the organisation's default email client (for example, Outlook) with a comprehensive policy enforcement engine would enable large files to be transmitted securely, while security policies and procedures are automatically adhered to.

Protecting valuable data is paramount to any organisation and the real challenge is being able to manage this data effectively. In order for an organisation to gain real value from its data, secure systems need to be implemented to not only manage but provide a holistic view of the data so that it can be used for competitive advantage.

A sad fact of life for network and security managers is that despite their efforts to create systems that are perfectly designed and executed, people are still capable of making mistakes. Almost inevitably, data loss is most likely to be caused by human error – whether through ignorance or negligence.

This means it is especially important that employees working with sensitive and valuable data are not only properly educated about their role and responsibility with regard to the Data Protection Act, but are suitably equipped with the technology and tools that can help to prevent human error from leading to serious data breaches.

Denis Sennechael is vice-president of EMEA sales and operations at Axway

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events