The advantages of sharing data between different public sector organisations are becoming increasingly obvious – for citizens, red tape can be cut; for government, policy can be better informed; and local authorities can reduce fraud.
Many local authorities are sharing services to create economies of scale. Thames Valley and Hampshire police, for example, share a single ICT department, and Leeds, Yorkshire and Humber are developing a shared platform for a number of digital services needed by all three councils.
But the more widely data is shared, the more opportunity there is for that information to get into the wrong hands. While keeping it locked up in individual silos may mean failing to use it to best advantage, it at least means it’s easier to keep safe – one reason public sector bodies are cautious.
Some of this data can be very valuable to hackers and scammers; medical information, in particular, which can be worth as much as $28 a record to scammers.
“Instead of some of the high-priced data that five years ago people were looking at targeting, they are now going for medical data because they can extract more money. More security has been put around data points such as banking information,” says Joel Dolisy, chief technology officer of network management company SolarWinds.
“It shifts the problem from one area to another. Those people who are spending a lot of time, if it gets too complex, will look for another area that’s easy to exploit.”
The biggest blocker to the modernisation of public services is information sharing or the lack of it
Key to information sharing is the government’s Public Services Network (PSN), a single ICT infrastructure aimed at helping public sector organisations work together, reduce duplication and share resources.
It’s kept secure using a “walled garden” approach, with controls including ensuring software is patched to the latest levels, preventing the execution of unauthorised software, deploying anti-malware, and using encryption on remote and mobile devices. It now connects all local authorities in England, Scotland and Wales.
However, public sector organisations are still wary about sharing data as much as they should, according to Phil Gibson, chairman of Innopsis, the industry association for companies involved in public data sharing.
“The biggest blocker to the modernisation of public services is information sharing or the lack of it,” he says. “This isn’t due to a lack of technologies and services to secure data, but primarily in terms of the cultural barriers that hamper collaboration and the fear that information security rules will be broken.”
Part of the problem is the way legacy security systems fail to take account of new ways of working, such as the trend for remote access through the use of hand-held devices such as iPads.
“Ageing technology, in place through moribund long-standing government contracts, provide virtually no context as to the who, how, where, why, when,” says David Warburton, a government systems engineer with F5 Networks.
“For example, taking into account whether an employee requesting sensitive data access is using a company laptop on a secured business network or doing so via their own personal device using a coffee shop’s free wi-fi.”
Indeed, a recent report from security firm Sophos found that the demand for more remote and mobile working practices was the public sector’s biggest security headache, cited by 59 per cent.
“Public sector organisations are out remotely accessing data on the go and on smart devices. In these times of austerity, that’s very, very difficult,” says Stephen Bourne of Sophos.
And old technology can create just as many problems as new. Most public sector bodies now have multiple systems, not all of which are necessarily even mapped. Suddenly, they’re expected to link to one another in ways that were never envisaged, with all the security risk this implies.
The public, meanwhile, expects data to be kept secure at all times, which is pretty much an impossibility, especially given public sector budget constraints. While according to Big Brother Watch, there are an astonishing four data breaches a day by local councils, the vast majority of which are trivial in their effects. Not only would eliminating them altogether be impossible, the attempt would be prohibitively expensive.
Reducing security risk
The only answer, says Mr Bourne, is to take a pragmatic approach. “The biggest conversation I have with local authorities is how can I reduce the risk most with the amount of money I’ve got?” he says. “For example, encrypting information on removable media might focus on the commonest use of removable media because it reduces the number of licences required and keeps down the cost.”
One particular worry for many is the increasing move to the cloud. Indeed, a recent survey from the Society of Information Technology Management found that 47 per cent of the public sector organisations it polled wouldn’t consider using cloud applications for IT services involving personal data or business-critical functions.
With most security breaches caused by human error, ultimately sharing data securely is far more about procedures than technology
With major suppliers storing sensitive customer data on servers in the United States, it can be hard to guarantee that it’s being handled in accordance with UK data protection rules, especially given the recent collapse of the Safe Harbor agreement that was supposed, pre-Snowden, to guarantee the secure handling of data.
Local authorities are responsible for validating their suppliers’ security pledges and understanding data jurisdiction, which is not an easy task. As a result, many public sector bodies are contracting with UK cloud companies instead. Wealden District Council in East Sussex, for example, signed up Yorkshire-based Fantastic Cloud Services last month for a back-up and disaster recovery solution that involved the secure storage of more than 150,000 personal records.
But with most security breaches caused by human error, ultimately sharing data securely is far more about procedures than technology. In fact, over-elaborate security systems can actually end up encouraging staff to try and bypass them.
It makes sense to keep rules as simple as possible; for example, by banning the storage of sensitive data on USB sticks, which can easily fall into the wrong hands. Continuous training is also key.
“To some extent, people are being people. You’re going to tell them what to do and what not to do, and they all agree and then two weeks later they do something else,” says SolarWinds’ Mr Dolisy. “You’ve got to have a continuous message going on, not just a check-box. It’s literally a constant stream of reminders. The average employee doesn’t understand the cyber security threat.”