This month we are looking at the challenges faced by Local Government. In a climate of budget cuts and ever increasing expectations and targets, Local Authorities are under tremendous pressure to secure critical data, infrastructure and services.
Massive amounts of valuable data held by local authorities are an attractive target for cyber criminals seeking financial gain, who often target unwary employees. This is more than leaving an unprotected laptop or mobile phone in a taxi – this includes combating sophisticated and targeted phishing attacks to gain access to sensitive data.
Last month, over 13,000 email addresses were stolen from Edinburgh City Council’s website following a ‘malicious’ cyber attack. A total of 400 email addresses belonging to council staff were also obtained in the assault.
Cybersecurity has become a key requirement with organisations of sizes, as they all have information that could be of interest to cyber criminals.
To help combat this threat, this month we have compiled a number of key resources and services of specific interest to Local Authorities.
As always, if you’d like more information on any of the topics covered, please email: [email protected]
Big Brother Watch Report:
A Breach of Trust
The recent Big Brother Watch report, A Breach of Trust, shows that between April 2011 and April 2014 there have been at least 4,236 data breaches.
These findings are part of a wider trend. Local Authority Data Loss, a previous Big Brother Watch report into data loss by local authorities found that between July 2008 and July 2011 personal data had been lost 1,035 times.
The increase in four years is dramatic.
Many breaches occur due to some form of human error, due to poor training or staff being unaware of their responsibilities. As it stands data protection training is not compulsory for those handling personal information. This needs to be rectified. Both the public and the staff working in local authorities need to be able to trust that when a breach occurs it will be treated with the same approach across all organisations. This should include a duty to inform people when their personal information may have been involved in a breach.
Big Brother Watch propose a number of policy recommendations which would help to deter wrongful access of personal information, reduce accidental breaches and improve the level of standardisation across local authorities.
1. The introduction of custodial sentences for serious data breaches.
2. Where a serious breach is uncovered the individual should be given a criminal record.
3. Data protection training should be mandatory for members of staff with access to personal information.
4. The mandatory reporting of a breach that concerns a member of the public.
5. Standardised reporting systems and approaches to handling a breach.
6. The extension of the ICO’s assessment notice powers to cover local authorities.
It is vital that the security of personal information is a priority for local authorities. It will never be possible to eradicate the loss of data entirely, but by adopting these proposals breaches and errors can be kept to a minimum.
Infosec Cloud provides a managed security awareness testing and training service – click here for details >>
Case Study: Shetland Islands Council deploys 2FA to meet PSN security standard.
The Public Services Network (PSN) substantially reduces the cost of communication services across UK government and enables new, joined-up and shared public services.
Shetland Islands Council uses the platform extensively and needed to bring remote access to its corporate network up to the PSN standard. A strong two-factor authentication (2FA) solution was required.
The council chose SecurAccess from SecurEnvoy as the software enables secure logins without requiring dedicated tokens.
SecurAccess mobile phone based tokenless two-factor authentication is the modern alternative to physical fobs/ tokens. By leveraging something the user already has, such as their smartphone, SecurAccess allows a seamless and cost effective solution for 2FA to be implemented without the cost of traditional hardware based alternatives.
The service can be provided as on-premise software or hosted via a manged services provider such as Infosec Cloud. Shetland Islands Council selected the on-premise solution.
Michael Marriott, ICT Team Leader commented:
“We needed a solution that was quick to implement, easy to use and would become part of the day to day login process of our staff. Taking a tokenless approach has saved us money and means we do not have to manage a physical token inventory. ”
Croydon Council expands usage of Egress Switch to securely transition to paperless office.
Egress Software Technologies, provider of Government-certified encryption services to 30 of the 33 London boroughs, has announced that Croydon Council expanded its usage of Egress Switch Secure File Transfer to further secure its data and to assist the process of moving to a new modern paperless office environment.
In keeping with the council’s commitment to the highest data protection standards, Croydon Council identified the need to automate the secure transfer of confidential files, including highly sensitive social care records. Having previously adopted Egress Switch Secure Email in 2011 under the ‘Secure Communications with third parties’ project, the council developed its usage of the platform to meet this challenge.
Lauren White, ICT Business Partner at Croydon Council, explained:
“Croydon Council has been through a period of great change, with nearly two-thirds of council staff moving into its new corporate headquarters and using reduced paper storage facilities. In addition, with almost all employees working to a three-to-two desk ratio, the council decided to adopt a paperless environment and consequently needed a secure mechanism for transferring scans of sensitive paper files, such as social care records, to corporate SharePoint sites and other applications. We consequently chose Switch Secure File Transfer not only to meet this need, but also as a logical progression to our usage of the Switch encryption services platform.”
Councillor Simon Hall, Croydon Council’s cabinet member for finance, said:
“The Switch technology provided by Egress is better for our staff, our residents and gives Croydon taxpayers more value for money. An encrypted paperless system is cheaper, greener, even more secure and uses less space. This saves us over £100,000 per year on storage costs alone. More significantly, it will enable us to deliver improved and more efficient ways of working.”
Offered through Switch Secure File Transfer, automated file transfer functionality enables organisations to embed encryption into day-to-day business processes.
Leveraging Government-certified key management, automated file transfer offers multiple layers of information security, including real-time revocation and auditing, to ensure data is protected both at rest and in transit. As such, organisations can simultaneously take advantage of workflow efficiencies without risking data security.
Is your Data Backup Plan more Pain than Gain?
Today data is everywhere on desktops, laptops, mobile phones and even in cloud apps such as Office 365. It all has to be secured, backed up and yes, sometimes restored. If you are using a desktop-era backup solution, you may not be protecting 100% of your data.
Does your organisation suffer from any of these pains when it comes to using legacy solutions such as HP Connected Backup?
1. Intrusive Backups
2. Failed Backups
3. Slow Performance
4. Licensing Issues
5. Loss of Critical Data
The mobile workforce is here to stay, and you need to respond to the data protection challenges presented by mobile users who create large amounts of data, store data across devices, and connect to varied networks.
Druva inSync was designed for today’s dispersed data environment brought about by the rise of the mobile workforce.
Designed to protect and govern data on endpoint devices, Druva inSync features advanced data deduplication, eDiscovery enablement, WAN optimisation, full mobile data backup, and data loss prevention. Centralised management with integrated mass deployment makes installing and managing inSync simple for IT, ensuring that 100% of your data is always available and protected.