UK councils must get their cyber security ‘act together’ according to Colin Tankard, Managing Director of data security company, Digital Pathways
Human beings are always the weakest link in the cyber security arena and the only way to stop this is by providing excellent training and awareness programmes, according to Tankard.
He says, “My experience of working with these organisations is that, more often than not, the data owners or managers of departments do not consider who has access to their data and they leave the decisions to the IT Department expecting them to know who can access the data and what they can do with it. Then, when things so wrong, it is the IT staff that get the blame. This is wholly inadequate and short-sited.”
The recent report by Big Brother Watch, which was based on freedom of information requests, highlighted the extent of cyber attacks carried out on 114 councils and appeared to show a staggering 37 attacks taking place every minute between 2013/2017.
“I am not surprised at the numbers” says Tankard, “many organisations fail to manage users and privileges. A frequent failing is not to remove people from groups when they move departments or, worse still, they leave the organisation and are not removed at all from systems. It is a communication issue, but it can be controlled with technology”.
Tankard explains how technology can help, and highlights having better control of Active Directories (AD) by using tools designed to work with AD but which provide a greater level of control and insight into what really is going on. These tools can be useful for department managers, who are able to easily see who is part of their group and who has access to their data. Any unknown person can be flagged to the appropriate department for further investigation. This puts the responsibility back onto the data owner, where it should be.
Another good tool is to monitor user behavior and from this, any unusual actions can be alerted or used to train the user on best practice. In the new GDPR world, coming soon, user education will be a key matrix of compliance.
As with all data, the most important factor is that it should be encrypted at every level, even emails. This would mean that should data be taken, it would still be protected. Many feel encryption ‘slows things down’ or is expensive, but this is far from the truth. When you take into account the cost of fines, bad publicity and low employee moral due to a data breech, encryption becomes a very cost effective measure.
Adds Tankard, “Digital Pathways works with many councils and there is no doubt that they are heavily burdened with regulation. At a time when council spending is closely controlled, the temptation is to put robust data security to one side. However, with public sector bodies increasingly receiving fines and with the imminent introduction of the GDPR with the threat of a 4% of turnover fine, it must be time to consider allocating sufficient funds in order to stop these data breeches.”