Clearswift is a company that helps organizations protect data rather than just networks. It has an interest in understanding how all organizations handle their data, and to that end it commissioned new research from Surveys in the Public Sector (SPS) into how the public sector in particular views and handles data security. Like other research published today, the results highlight a mismatch between understanding the threats and taking action against them.
Clearswift looked at what worries organizations most – and reputational damage at 31% is the biggest concern. This is perhaps not surprising, suggested Guy Bunker, senior VP of products at Clearswift, to Infosecurity, given “the hammering the public sector gets from all sides – including the Information Commissioner – whenever data is lost.” Externally it is the reputation of the organization; but internally personal reputation is also on the line since heads will roll, he added.
More surprising is that only 20% of respondents are worried about the financial consequences of data loss. The cynical might consider this is because the public sector has no money of its own – it is public money effectively underwritten by the taxpayer. Even lower on the list of concerns is ‘compliance’. When the two are taken in conjunction there is a strong implication that the data protection and compliance enforcement of the the UK’s data protection regulator (the ICO) simply isn’t having any great effect.
Clearswift itself has a slightly different take, focusing on the issue of least concern: only 2% of respondents consider the loss of public sector data to be relevant to national security. “Considering the Government’s recent cyber-force call to action, this statistic is startling,” says the report. “The Government is investing heavily to get this right – in 2011 alone they pumped £650 million into cybersecurity. To ensure this investment was not in vain they must be more vocal about the consequences of inadequate information protection.”
The response that most intrigued Bunker, however, is the rise of social media as a means of communication within the public sector – and especially the use of Twitter and Facebook. The problem is that there appears to be little formal policy regarding their use. Less than 20% of organizations actually ban the use of Twitter by the organization, while 71% enable it. Of these, 23% consider it acceptable as both a personal and organizational tool within the workplace – despite what Bunker described as the ‘potential for ambiguity within a limit of just 140 characters.’
Facebook is less favored, with fewer organizations allowing it (62%) and more banning it (26%) – even though Facebook is intrinsically more secure because messages can be limited to friends, whereas tweets are open to the world.
In reality, however, the rise of social media is merely symptomatic of a wider problem – the sharing of data with third party organizations. These include social networks, file synchronization systems such as Dropbox, and more formal business partners and contractors. 93% of the respondents admitted to sharing sensitive information with external partners, while only 30% consider security a high priority when selecting those partners. This is despite a 2012 Verizon report finding that 98% of data leaks around the world stemmed from third parties. “93% of respondents regularly exchange information with agencies or business partners. Of this information, 84% contains sensitive material. With record numbers of security breaches costing UK organizations billions, it’s no longer an option to assume that someone else is looking after your data,” says the report.
“This research,” concludes Bunker, “brings home the fact that now, more than ever, public sector organizations need to think about their information security on a strategic as well as a tactical level. Educating PSOs and raising awareness as to how to identify and protect their critical information must today be a real focus.”