Comment: Public vs. private sector information security

42% of private firms have not heard of the ICO, whereas this number rests at only 3% for public sector organisations
42% of private firms have not heard of the ICO, whereas this number rests at only 3% for public sector organisations
David Cowan, Plan-Net
David Cowan, Plan-Net

A recent survey commissioned by the Information Commissioner’s Office (ICO) revealed that there is a remarkable difference between the public and private sector’s approach to information security. Data from research carried out by Social and Market Strategic Research (SMSR) showed that, in fact, the public sector was much more aware of the Data Protection Act principles compared with private sector.

When asked to identify, unprompted, the main principles contained in the Act, the 7th principle – “Personal information is kept secure” – was mentioned by 60% of public sector organisations, compared with only 48% of private firms. Moreover, a more shocking divide can be found in the awareness of the ICO’s existence: 42% of private firms had not heard about it at all, a percentage that actually increased from previous years – yet this was not the case for public organisations, where only 3% were not aware of the UK’s independent authority set up to uphold information rights in the public interest.

A lack of awareness, however, does not prevent the majority of private sector firms from having more than 10 staff members dedicated to information security-related duties, compared to an average of two in public sector organisations. Quantity is not directly proportional to quality, it seems.

In reality, the public sector has had more reasons to be more data protection-savvy due to handling large volumes of personal and sensitive data. The private sector should start following its example.

Regulations have become stricter and ICO fines are tougher, with the authority now able to impose a fine of up to £500,000 for a serious breach. It is important, then, that all firms improve their awareness of information security and have an efficient system in place for protecting personal and sensitive information, and to deal with any breach in the most appropriate manner.

Private organisations that handle sensitive and confidential data – such as banks and law firms – should take these results as a wake-up call and an opportunity to learn from the public sector. They are, in fact, the most at risk of suffering major consequences in case of a breach of the DPA.

Critically, it is important to understand the steps for improving information security. First of all, it is vital that organisations are aware of their information assets and the associated risks. They can do this by conducting an assessment of their information security management system, in particular the controls surrounding the information assets of the organisation. This can then be assessed against the international standard for Information Security, ISO 27001, to identify any weak points, possible corrective actions and areas of risk.

Once these have been identified, it is possible to plan remedial work that covers policies, procedures and technology, as well as staff education and awareness, implementing it on a continuous cycle. It is important to note that documents and technology alone are not enough to guarantee an improvement. They can, however, minimise information security risks.

Staff commitment, from senior management to the most junior employees, is the key to making the controls and procedures work. If staff are not made aware of new policies and procedures, or are not willing to collaborate (perhaps because they do not understand why they should change the way they have always worked), then no amount of technology can keep an organisation in line with the appropriate standards and regulations.

At the same time, management needs to take strong ownership and underline the importance of data protection with a clear information security statement; their strategy should include disciplinary actions for whoever does not adhere to the policies. Investing time and effort in prevention will pay off more than insurance, as the latter may reduce some of the damages, although not the most important cost – the organisation’s reputation.

It is undeniable that although data security risks can be minimised, they cannot be completely eliminated – there will always be a human or technical error that results in sensitive data being lost, destroyed or disclosed. This, unfortunately, can happen in both the public and private sector, even when all the appropriate measures are in place. In such cases, one can only act according to the associated risks, for instance by allowing data to protect itself not only through encryption, but through the implementation of a data classification system that restricts access to unauthorised viewers.

Information security is not a final destination. Instead, it is a never-ending journey where everyone from senior management to service desk engineers commits to an ethos in order to protect personal information from loss, leakage and theft in a manner that is proportional to the identified risks.

David Cowan, head of consulting services at Plan-Net, is a respected IT professional with over 11 years of experience in the industry. A hands-on project manager, Cowan has worked with some of Plan-Net’s biggest clients to deliver technically complex projects and manage change in major businesses and public sector organisations. Possessing excellent all round technical knowledge and a lateral, common sense approach to providing IT solutions, Cowan works across all aspects of the IT spectrum with a detailed understanding of ITIL, ISO/IEC 20000, ISO27001 and PRINCE2.

What’s hot on Infosecurity Magazine?