Andy Barratt, UK MD at cybersecurity consultancy Coalfire, explores ways to strengthen cybersecurity and data protection policy in the public sector.
Everyone makes mistakes. After all, we’re only human. But sometimes there’s just no margin for error. Three government departments made headlines recently when they were forced to publicly apologise for administrative gaffes which, combined, exposed the personal data of more than 1,000 people. In each case, the leaks were caused when emails were accidentally sent to multiple recipients without the sender using the “blind CC” box. This meant that everyone on the mailing list could contact everyone else as well. One of these high-profile blunders was made by The Department for Digital, Culture, Media and Sport – the department which holds cybersecurity and data protection under its purview.
The other two, worryingly, both came from the Home Office. The first was referred to the Information Commissioner’s Office (ICO) after an employee exposed the details of people involved in the Windrush compensation scheme. The second was an email publicising the details of hundreds of EU citizens seeking settled status in the UK.
These incidents are more of an embarrassment than anything, with a number of high profile political figures having to issue public apologies. But the worrying thing is how prevalent these mistakes have become. While the damage caused by these examples was minimal, the pattern of incidents could speak to far more endemic issues of poor IT practice within government departments that could, eventually, be the cause of a far more serious data breach.
Bigger doesn’t mean better
It is the very size of the public sector, its decentralised operations and complex IT infrastructures that make it potentially less secure. Coalfire’s own research has found that, contrary to accepted wisdom on cybersecurity and data protection, the largest organisations are not the best prepared to protect themselves against cybercrime, despite having bigger budgets and resources.
A huge IT infrastructure with large numbers of people using it creates significant challenges and even the most sophisticated organisations often don’t have the resource to manage it effectively – particularly when compared to much smaller organisations which have far less ground to cover with their IT security and data protection processes.
Public sector organisations fit this profile perfectly. They often handle masses of data, a lot of which is sensitive, and rarely have the money or the manpower to manage it effectively. In the cases of the breaches we’ve highlighted here, it is clear that staff had not been effectively educated on data protection best practice – or at least that those practices were not being upheld or policed.
Painting a target
Another finding from our research is that human error, above all else, is the biggest IT threat to an organisation. Whether through mistakes like the ones highlighted here or by being vulnerable to exploitation by an external actor, employees are a serious risk.
The three incidents highlighted in this article will have done limited damage on their own. But allowing human error on matters of cybersecurity and data protection to become pandemic will eventually raise attention – particularly for high profile government entities. As the Home Office’s Windrush data breach proved, ICO is on the lookout for organisations that flout data protection standards, particularly following the introduction of GDPR.
Data protection fumbles are just as likely to garner the attention of less scrupulous actors as well. A government department, with all of the sensitive information it stores, is an attractive target for a cybercriminal – particularly if that department has recently demonstrated poor cybersecurity and data protection practices. Ensuring employees know how to send information securely can significantly decrease the chances of a mistake taking place. Not only will this help to avoid embarrassing headlines, it could also stave off unwanted attention – be that from the ICO or a cybercriminal looking for an easy target.
Lines of defence
But it isn’t all down to education. Whether through simple human error or by falling foul of social engineering hacks like phishing, risk is amplified as the size of the workforce increases. People make mistakes, so having failsafes in place to guard against them is becoming more and more essential. While user best practice will always be a must, the efficient and cost effective technology which is now available means organisations no longer have to rely solely on their employees to ensure total accuracy.
In the same way that technology can block users from accessing certain websites, we can also automatically encrypt email to some destinations, apply restrictions to documents or automatically screen incoming communications. There are also solutions on the market which apply machine learning to analyse the type of email being sent and the addresses of the recipients to judge whether a message should be encrypted or even sent at all.
Implemented alongside a robust employee code of practice, these types of technology can significantly reduce the risk of data protection breaches caused by email blunders. For an organisation like a government department, where mistakes make headlines, investment in these solutions is arguably more necessary than it is anywhere else.
Designing out avoidable errors
The potential for human error can never be eliminated; so in a world where human error can have such huge implications, avoidable errors must be designed out of systems as much as possible.
It is possible to significantly reduce the risk of human error-related data breaches; and a combined approach, where well-trained employees are supported by the right technology, is the best way to do so.
About Coalfire
Coalfire is the trusted cybersecurity advisor that helps private and public sector organisations avert threats, close gaps and effectively manage risk. By providing independent and tailored advice, assessments, technical testing and cyber engineering services, we help clients develop scalable programs which willimprove their security posture, achieve their business objectives and fuel their continued success. Coalfire has been a cybersecurity thought leader for almost two decades and has offices throughout Europe and the United States.
Andy Barratt
UK MD
Coalfire
