Decrypting security: a smarter approach to data handling

Friday, February 19, 2010

Data is a strategic asset, according to Carla Baker, and one that should be treated with great importance. In this article she explains how government is working to shed its bad data security image and the future challenges it faces

Information about citizens is no longer something only held in vast archives and storage facilities. Increasingly, it ends up on small portable devices such as laptops and memory sticks. When you consider that the amount of information that can be stored on a memory stick is equivalent to hundreds of filing cabinets, the consequences of that data being lost or falling into the wrong hands becomes alarming.

It has become increasingly easy and necessary for staff to transfer information, sometimes on a large scale, and much progress has been made in recent years to make sure that these transfers are done safely and securely. However, technological solutions to prevent data loss are only ever as effective as the procedures and working practices that support them.

The government has come a long way since the high profile HMRC and MoD data losses, and a number of systems and processes have been put in place to minimise the risk of data loss occurring in the future.

The public sector has had to face up to the challenge of protecting personal data in a very public way. However, it is worth bearing in mind that the private sector is just as susceptible to losses - though they tend not to gain the same media coverage as the public sector. Since 2000, some of the most serious breaches occurred in the private sector.

Organisations that expose their customers to unnecessary and avoidable risk because of inadequate security must contend with reputational damage and the associated loss of business.

To underline the seriousness of the matter, the Information Commissioners Office has recently been granted the power to fine organisations up to £500,000 for serious data breaches. Whilst this might not seem a lot compared to the turnover of large multi-national firms, it does demonstrate the government's commitment to drive through necessary changes to minimise the risk of data loss and force the procedural and cultural changes across the public and private sectors.

Information security
Government has become increasingly reliant on information and technology in their interaction with citizens. The more information, the more important security becomes. When looking at how to safeguard against misuse of data, much emphasis is put on the protection offered by encryption.

Published in 2008 to examine and improve data handling across government, the Data Handling Review, undertaken by Robert Hannigan - the Prime Minister's security advisor - and the Cabinet Secretary Sir Gus O'Donnell, put in place a set of mandated data handling standards for departments to adhere to. Most notably it introduced new rules on the obligatory use of protective measures such as encryption. However, the report also pointed out that proper processes need to be put in place for departments to comply with security measures.

Ultimately, data security depends on well trained staff and good working practices as much as improving the technology available to protect data.

Using encryption to enable mobile working
Mobile working has huge potential to generate efficiency savings for both the public and private sectors. For example, it can enable care workers to visit customers in their own homes and update and access information about their clients remotely. Ensuring the secure access and transfer of data is an even more immediate concern as mobile and flexible working become more common.

As part of this drive to enable both central and local government to access, collaborate and share information the government established the Government Connect Secure Extranet (GCSx). Local Authorities are required to ensure that they are compliant with security measures set out in the Code of Connection (CoCo) to the GCSx in order to access data held in central government department and local authorities.

There are a range of products available to local authorities that enabled them to update and secure existing systems and hence comply with the CoCO requirements.

By complying with the CoCo councils are able to continue to offer staff the same level of flexible working arrangements, continue to provide a full range of services to residents and at the same time adhere to the security requirements.

Not just technology
We must remember however that technology is only part of the solution. However advanced the technology it cannot provide full information assurance without the right processes and training material to ensure that the appropriate individuals have access to the information and that they are treating it responsibly. Organisations need to take a holistic approach to security, embedding it as part of their overall corporate ethos, and both public and private sectors have come a long way.

Central government has established the e-learning guide that has been rolled out across government and a more advanced module has been produced to meet the needs of those members of staff with specific information handling responsibilities.

Conclusion
It is evident that both government and the private sector have come a long way since the high profile data losses; they have put in place systems and processes to protect information.

The rise of the digital age and the functions that this enables such as online transactions and mobile working means that organisations need to take a more strategic approach to information handling.

Data is a strategic asset to UKPLC and it's at the heart of what organisations do, enabling them to share, exploit and use information to do business.

Carla Baker is the information security programme manager at the IT trade body Intellect