a0o200000028RWR_1

Data Security in the Public Sector

Incorporating findings from the BeCrypt Public Sector Survey

December 2008


Synopsis

Changes in the IT and regulatory landscape, including the much publicised Data Handling Review, continue to bring different challenges to the Public Sector. Local authorities and the police, like all organisations, need to be assured that their IT systems are robust, secure and reliable. From the survey we have identified four main factors that are currently top of mind:

• MovingtoGCSx–theprivatewideareanetworkforsecurecommunications between connected government organisations.

• Aremoteandmobileworkforce–increasedmobilityandremoteworking (to both increase productivity and provide employees with work/life balance) requires strict policies for managing and controlling access to systems and the use of laptops outside of the organisation’s boundaries.

• Dataprotectionandcompliance-managingandprotectingdataisnow top of the agenda for many organisations, particularly with the rise in high profile cases of missing data through equipment being stolen or lost.

• AriseintheuseofUSBdevices–organisationsmustnowmanagetheuseofthemanyUSBdevices–USBsticks,iPodsandcamerasthat are connected to PCs and laptops.

Clearly, regulatory compliance and data protection are closely linked to theuseofUSBdevices.AmissingorstolencomputerorUSBstickthatcontainsconfidentialorsensitivedataputstheorganisationatrisk–financially, legally and through damage to reputation.

Today’s technology has placed similar demands on the private and public sector, whether it be to protect national secrets, intellectual property or personal information. Organisations must now address access and security issues with comprehensive data policies. They


must also implement the most appropriate security solutions thatensureproductivityisnothinderedthroughcomplexsecuritymanagement and control systems.

Theestablishedsystemsandprocessesofprotectivelymarking-orclassifying–datathathaveworkedwellfortheGovernmentfordecadeshavefailedtomeettoday’sdemands.TheUKgovernment’sresponse to recent high profile public sector data breaches in 2008 has resultedwithapublishedframeworkthataccompaniestheexistingdata classification requirements. There has been a shift in focus to measure data loss in terms of risk and the potential impact it may have.

There is no doubt that awareness of the need to protect and secure data has significantly increased. BeCrypt’s recent Data Security survey¹, (December 2008) investigates how public sector organisations have changed policies and adopted technologies to address some of the issues highlighted above. This White Paper discusses and compares the findings from those previously covered in its earlier ‘state of the nation’ survey.²

Background

The survey was conducted during November and December 2008 via a series of telephone interviews with named individuals at councils or policeauthoritiesintheUK.Allindividualsinterviewedworkedwithinthe IT department at manager level or higher, or as a security officer or equivalent role.

The data has been segmented into four sections, to ensure a proportionately spread sample. However, during calling we discovered that many of the smaller authorities were being merged/amalgamated and were not therefore, prepared to take part in the survey. The weighting is now more in favour of the larger councils, London boroughs and police authorities.

In each of these cases interviews were completed with at least 10% of the organisations within the segment, making the survey as a whole andforeachsegment,withtheexceptionofthesmallercouncils,statistically relevant.


This is the second such survey conducted by BeCrypt, with the first takingplaceinAugustandSeptember2007.

Aim

The aim of the survey was to research how organisations within the public sector are approaching the new requirement to join the GovernmentConnectSecureExtranet(GCSx)andhowtheyaresafeguardingdatainthecontextofprovidingmoreflexibleworkingconditionsforstaffandextendingservicestocitizens.

The survey looks at how important mobile working is to the organisation and data security arrangements for mobile devices, particularlylaptopsandexplorestheusageandcontrolofUSBdevices.

The results are compared with the earlier survey carried out by BeCrypt to see how the data security landscape has changed in the intervening 14 months in the public sector.

Notes

Total of number surveys completed 60

Segmented as follows:LargeCouncils 30 (County,Unitary&Metropolitan)London Boroughs 12SmallerCouncils 14 (Districts&Boroughs)PoliceAuthorities 5 (allnonBeCryptcustomers)

Moving to GCSx

LocalauthoritiesinEnglandandWalesareunderpressuretojoinGCSx,aprivatewideareanetworkforsecurecommunicationsbetweenconnectedgovernmentorganisations,bytheendofMarch2009tospeed up government departments’ capacity to share customer data with third parties.

The provision of a national network infrastructure that provides secure connectivity to the wider local and central government communities is of significant benefit to local authorities.


Itprovidesanaccredited,managednetworktoconnectallEnglishandWelsh local authorities with, inter alia, central government, the NHS, theScottishLocalAuthoritiesandtheCriminalJusticeCommunityintoa trusted secure community. It also allows a secure email relay service withanaccredited,independentlymanagedanti-virusserviceandenables secure data sharing.

TojoinauthoritiesmustalsosignuptotheGCSxCodeofConnection(CoCo), which sets out the standards and processes an authority must complywithbeforebeingabletoconnecttoGCSx.CoCoincludesspecificrequirements on log data.

BeCrypt’s survey highlighted that most public sector organisations are awareofandontracktojoinGCSxbythedeadlineof31stMarch2009.

Question 2. Are you planning to join GCSx?

OnlysmallercouncilssaidthattheywouldnotbejoiningGCSxandthisis due to imminent merging with other larger councils. Councils in ScotlandsaidthattheywerealreadyonGCSx.


Question 3.When are you planning to join GCSx?

MostcouncilsandLondonBoroughsareontracktobereadyforthelivedateon31March.Afewhavenegotiatedextensions.Furtherquestionsestablishedhowlocalauthoritiesarecurrentlyexchanginginformation.

Question 4. How do you currently exchange information with other agencies for instance, police & social services?


Only smaller councils said that they never share data. The police authorities seemed to be most security minded when sharing data. Fewer of the London Boroughs had secure network facilities, when compared with larger councils and police authorities.

A remote and mobile workforce

The advent of laptop computers and remote access from PCs have revolutionisedthewayofworking.Armedwithalaptop,employeesarefree to work remotely at whatever site they choose. Organisations see productivity benefits as staff are able to spend less time travelling to andfrommeetingsanditenablestheflexibleworkinglegislationtobemet.

However, for the IT department this new mobility brings its own challenges. Not only is there the increased risk of laptops being lost or stolen, there is also the need to provide secure access to systems and data.

Despite this risk, some organisations are now providing staff with the tools to enable remote working. Our survey illustrated that smaller councils had the least facilities for remote and home working. Police authorities and large councils had the best facilities, while London Boroughswerenotasadvancedasmayhavebeenexpected.

Whencomparedwiththesurveyresultsfrom2007,theoveralltrendseems to be that fewer workers are now being issued with laptops and secureconnection,whichmaybebecauseoftheintroductionofGCSx.


Question 5. What infrastructure do you currently have in place for remote and home working?

Furtherfindingsillustratedthatauthoritiesandthepolicewouldextendflexibleworking,hadtheytherightinfrastructureinplace,andthatthey considered it important to offer it in order to meet the work/life balance.

Question 7.If flexible working were affordable and secure would you extend it to more staff?


Thesefiguresareinlinewiththefindingsfromthe2007survey.Smallercouncilsarelesslikelytooffer/extendflexibleworking.

Question 8.Does flexible working help the council to provide a good work/life balance and more flexible services?

Data Protection and Compliance

Managingandprotectingdataisnowtopoftheagendaformanyorganisations, particularly in the wake of the Data Handling Review. Data security is a serious issue, with government legislation mandating that organisations must publicly report any security breach that may compromise personal information.

The public sector faces additional challenges as they respond to the ‘FreedomofInformationAct2000(FOIAct),wherebyclearguidelinesare set as to what information or data can be released into the public domain.


Asecuritypolicycanoutlinetheappropriateuseofdata,whichmay also protectively mark data (according to the government classifications). However, this does not protect data from theft or loss, it merely provides an indication of the associated ‘risk’ of data loss to the organisation. While the loss of a stolen laptop might be a cost, there is an additional cost in terms of the public image and loss of intellectual property.

While a security policy may address the use (and misuse of data), many organisations are now recognising that encryption of data is vital. It may not prevent the loss of stolen hardware, but the risks associated will be mitigated if the data is protected, therefore avoiding security breaches.

Awarenessofthisissuehasrisen.Inthesurvey,councilsclaimingtoencryptdataonallPCshadincreasedfrom10%in2007to17%in2008.Authoritiesclaimingthatdataonsomecomputerscarryingsensitivematerialisencryptedalsoshowedanincreaseoffrom45%in2007to48% in 2008.

Councils saying that they do not encrypt any data is now 32%, and while thisisanimprovementofthe43%recordedin2007,itisstilltoohighafigure.

Question 9. Do you encrypt data on any or all PCs?


The police authorities demonstrate stronger emphasis on protecting datawithencryption,asmightbeexpected.LondonBoroughsarenoticeable in that a surprising number of them do not encrypt any data –inthisrespecttheyscorelowerthansmallercouncils.

From the findings, however, both police authorities and smaller councilsnowencryptmorematerialthanin2007.

TheFOIActoutlinesacodeofpracticeforallpublicauthoritieswithregards to information held. The code lists the compliance regulations with which authorities need to adhere to in order to ensure that data is protected while still allowing public access where appropriate. Managingandprotectingsensitiveinformationhasneverbeenmoreimportantormorecomplex.

The following question showed the most dramatic turnaround on this since the earlier survey.

Question 10. Do you have procedures for protecting sensitive data?

Inthe2007survey90%ofcouncilshadnoproceduresfordealingwithsensitivedata.Now50%dohaveprocedures.ClearlytheadversepublicityofdatalossandtheDataHandlingGuidelinesarefiltering


down to the wider public sector. However, there is still a long way to go, because50%ofauthoritiesarestilllackingproceduresfordealingwithsensitivedata.While,tosomeextent,thismightbeexpectedofsmallercouncils,thefactthat65%ofLondonBoroughshavenoproceduresissurprising.

Rise in the use of USB devices

WithanincreasingnumberofexternalUSBdevicesnowbeingused–cameras,iPodsandmobilephones,organisationsruntheriskoftheirdatabeingvulnerabletotheftoreventhe’toxic’liabilityofdataorviruses being imported into the network. The unmanaged use of such externaldevicesexposesallorganisationstohighrisk.

FlashMemorysticksarenowcommonplaceandprovideaconvenientway of storing and transporting data. However, they can be easily lost orstolen.OnlyrecentlyhavemediareportsexposedthenumbersofUSBsticksleftinclothingforcleaning,aswellasthoseleftbehindonpublic transport.

Organisations can no longer operate on a trust basis, hoping that employees will adhere to a policy. To protect data from being vulnerable, organisations require a centrally managed policy to ensure that the usage of such devices is controlled.

The following question highlighted recognition of this factor. The use of USBdevicesmanagedbyaPortControlsolutionisupfrom38%in2007to57%in2008.Again,thisisgood,butthereisstillalongwaytogountilallUSBdevicesareproperlymanaged.

Lastyear30%ofcouncilshadnoproceduresforUSBdeviceusage,nowthatfigurehasreducedto22%-stillasurprisinglyhighfigure–butthetrendisintherightdirection.Asbeforethepoliceauthoritiesseemmost security aware and the London Boroughs less so.


Question 12. How do you prevent data leakage, particularly around the use of USB devices?

Rise in profile of Security

One of the most striking points when comparing the two surveys is the differenceinjobtitlesofthepeoplethatwereinterviewed.In2007only23% of respondents held a security specific job role. In the 2008 survey thatfigurewasuptonearly50%-furtheranecdotalevidencethatsecurity has risen up the agenda as the graph below demonstrates.


Summary

With the increased number of mobile employees and stronger mandatesfromlegislationandGovernmenttoprotectpersonaldata,data protection is firmly top of mind for organisations. It is not just the monetary risk of losing assets, in the case of a stolen or lost laptop that is of concern. Today it is the serious threat of data and highly sensitive data being in the public domain, either by accidental or malicious intent.

Forthepublicsector(aswellastheprivate)therisksarehigh–bothto reputation, the possible financial penalties or breaches of internal policy.Thesenewfactors–mobileworkinganduseofUSBdevices-areincreasingtherisksandhaveradicallychangedtheterritoryoftheITdepartmenttoextendoutsideoftheorganisation’sgeographicalboundaries.

The results from the recent survey illustrate how seriously this changing landscape is being viewed. The latest survey highlights that on the one hand in there is clearly a lot of work still be done, whilst on the other it shows that attitudes are changing and data security is definitely higher up the agenda.

This is being driven by Policy mandates as part of the Data Handling ReviewandadherencetotheCodeofConnectionforGCSx,bothofwhich are starting to create a cultural change towards data handling and security.

Perhaps an illustration of this is not only the higher awareness of protection required, but also by the fact that there is now a far higher incidence of data security specialists employed.

The move towards greater levels of data security brings with it a greaterrequirementfordataencryption,whetheronexistingsystemsor removable media. The survey shows that organisations realise that it is not enough to simply have a security policy in the hope that it is adhered to.


In addition to the implementation of technological solutions that protect data, a clear security policy needs to define protocols and mandate theiruse.Asuccessfulpolicyshouldbedesignedtoregulatetheuseofremovable media, and protect the data.

The right tools are available in the market today to enable better data security. Safeguarding data is the first step in protecting an organisation’s information assets, and in many cases, providing important assurance to those whom it services.

About BeCrypt

BeCrypt provides market leading disk encryption, media encryption, data protection, and remote access products that can be configured to the individual needs of your organisation.

Our data security products protect the data and information on desktops,laptops,PDAs,USBsticks,mobiledevicesandremovablemedia such as CDs.

Some of the most secure organisations in the world rely on BeCrypt encryption software to protect their data. We work with global corporatesandpublicsectororganisationssuchastheUKGovernmentandMinistryofDefenceonmanysecuritydevelopmentprojects.

Our encryption products are certified by the leading security assurance schemes,includingCESGAssistedProductsScheme(CAPS),CCTMark,DefenceINFOSECProcurementCo-OperationGroup(DIPCOG)and the Federal Information Processing Standard (FIPS).

Our ground breaking Trusted Client product allows organisations to give mobile workers secure network access from an unmanaged internet enabled PC. Trusted Client can drastically reduce the cost of mobile working and offers significant business continuity gains should office based workers not be able to get to their work place. For safe remote access to the network users simply insert the Trusted Client memory stick and boot up their PC.

¹BeCrypt Public Sector Data Security Survey, December 2008

²BeCryptPublicSectorDatasecuritySurvey,October2007


Notes

Allproductnamesreferencedwithinthis document are trademarks orregistered trademarks of theirrespective companies.

BeCrypt Ltd disclaims interest in themarks or names of others. While everyeffort has been made to ensure technicalaccuracy, information within thisdocument is subject to change withoutnotice and does not represent acommitment on the part of BeCrypt Ltd.

No part of this document may bereproduced or transmitted in any form,electronic or otherwise, without theexpressedconsentverbalorwrittenof BeCrypt Ltd.

130ShaftesburyAvenueLondonW1D5EUUKt:08458382050f:08458382060Outside UK:+44(0)[email protected]


a0o200000028RWR_1

Documents

Transcript of a0o200000028RWR_1