Guest blog: Councils, NHS and police fined millions for poor data handling


by | 08 November 2012

Ross Parsell, Government and commercial account director at Thales UK, comments for CBR on public sector organisations paying over £2m in fines for information security infringements over the past 18 months.

The news that the Information Commissioner's Office has fined public sector organisations over £2m in the last 18 months has shown how basic lessons on information security are not being learned. A perimeter-based approach to security based around firewalls and defensive controls around the IT network is no longer sufficient. Organisations need to rethink their approach to information security and take care to classify and protect data itself according to the sensitivity of that information.

'End-to-end information security' is a useful catch-all term to describe a strong security posture. However, the public sector needs to consider the status of different types of data in order to take the steps to adequately protect that data. Data can be categorised in three ways for this purpose:

From a security standpoint 'Data at Rest', the inactive data physically stored in databases, spreadsheets, data warehouses and mobile devices is vulnerable. It is imperative that public sector organisations protect sensitive data against brute force attacks with strong encryption for when authentication methods like usernames and passwords fail.

'Data in Transit', is data transferred between two nodes in a network. In virtually all cases, the network cannot be trusted and the data must be protected with network encryption, supplemented by SSL certificates, Internet Protocol Security (IPSec) and other precautions where relevant. Finally there is 'data in use', data being used in an in-memory state. Sensitive data should be protected by application encryption and exposed on a need to know basis, encrypted as soon as possible and decrypted only when necessary. This selective approach can only be performed at the application level.

By classifying data rather than systems for different levels of protection, public sector organisations can protect themselves from the indignity and criticisms of security breaches, as well as the associated data breach financial penalties. The threats to data theft, both internal and external and by either human error or malicious intent are costly and dangerous. Government has a duty to protect this information and the Public Services Network is a major step to fulfilling this duty.

Ross Parsell, Government and commercial account director at Thales UK

Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

792 people like this.
2218 people follow this.

Security Intelligence

Suppliers Directory

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.