industry unlocked
Tony Pepper , CEO , Egress
There seems to be a sense that humanactivated data breaches are inevitable within the public sector , meaning risk appetite is set at a level that accepts a 25 % breach risk . Tony Pepper , CEO , Egress , explains how the public sector can protect data and employees .
ADDING A HUMAN LAYER TO DATA SECURITY IN GOVERNMENT ORGANISATIONS
DDigital Transformation in the UK public sector has accelerated . Essential measures implemented to control COVID-19 have disrupted analogue processes , such as sending a letter or fax , as there ’ s no point sending a letter if there is no one in the office to open it . Digital processes have become the default as government employees work from home and citizens need to access public services and support remotely in order to stay safe . As this transition continues , it ’ s inevitable that the expanding digital footprint of public services will increase the amount of digital personal data residing in public sector systems and handled by government employees . What also seems inevitable but shouldn ’ t be , is the high risk of human-activated data leakage due to digitalisation .
Figures published by the ICO showed that central and local government organisations accounted for 12 % of all reported personal data breaches in the second half of 2019 ; 92 % of these were classed as ‘ non-cyber incidents ’ attributed to human error or theft . Of these incidents , 23 % were directly caused by mis-sent emails , failure to redact sensitive content or failure to use BCC .
Mitigating the risk of employee mistakes – and identifying those who deliberately leak data – must be an essential element of any organisation ’ s data security strategy . However , as recent Egress research shows , there is a broad range of reasons and scenarios in which employees leak data ; identifying and understanding these will help frame how data security teams in the public sector need to respond .
The one in 10 . . . ill-equipped , self-interested or under pressure
We surveyed 1,000 government sector employees to find out what kinds of situations lead to intentional and accidental insider data breaches . One in 10 said they or a colleague had intentionally broken company policy in the past year . When asked why , onethird said that they took a risk because they hadn ’ t been provided with tools to share data safely . While it is hard to criticise those who are just trying to get the job done , this keen but risk-taking profile is an unfortunately common cause of breaches .
Less virtuous are the 27 % who said they took data with them when they moved jobs . Our research has shown that workers have a very proprietorial attitude to the data and information they work on , frequently assuming that creation confers ownership . Just over one-third ( 34 %) of government employees said they don ’ t think the organisation has exclusive ownership of data , which explains their predisposition to walking out of the door with it when a new career opportunity beckons .
For public sector employees who admitted to causing an accidental data breach , phishing was one of the biggest issues , with 28 % clicking on a link in a phishing email and 8 % responding
44 Issue 31 | www . intelligentciso . com