Sophos Survey Reveals Need to Rethink Public Sector Data Security

April 25, 2012 Sophos Press Release

A survey* of 584 UK public sector IT managers, performed by Sustainable Gov on behalf of Sophos, has revealed that the measures being introduced by the Government to improve data security are failing on a number of counts. Most notably, fines by the ICO are having little impact, with only five percent of public sector IT managers acting on data security policies due to fear of a fine. Furthermore, nearly half (44 percent) of respondents think that, while the obligation to protect data is clear, they are not given enough guidance on how to act on this obligation.

Other findings from the research include:

  • 22% of respondents do not think the obligation to protect data is clear to businesses at all
  • 48% of organizations only improve data security because there is a legal obligation to do so
  • 42% of those surveyed cite classroom and webcast training to be the best way to educate staff on security and information assurance practices

The ICO’s fines have at least managed to raise the profile of data breaches in the public consciousness. However, the results of the survey point to the fact that businesses need more help to improve their data protection policies. Public sector organizations have come out as the worst offenders – for example, since the start of 2012 a Lancashire police force was fined, three councils: Croydon Council, Norfolk County Council and Cheshire East council, among others – but it is still not clear why the public sector is repeatedly failing to protect sensitive data.

“The UK is seeing a severe disconnect in the expectations that the Government has for organizations to comply with data protection legislation, and the measures it has introduced to help them achieve this,” said Ollie Hart, head of public sector at Sophos. “The repetitive onslaught of ICO fines was a neon sign that something was amiss, yet this research shows us that organizations are still lacking guidance on how to protect sensitive data. If organizations are more thoroughly educated on the causes and outcomes of data breaches, perhaps we’ll be able to prevent them from happening in the first place, rather than simply reacting once it’s already too late.”

A number of simple measures can be taken to prevent data breaches, and the best solutions incorporate both education and technology. As a first point of call, employees need to understand the value of the data with which they are dealing. Second, technology solutions can be implemented to safeguard against human error, and ensure a basic level of security always exists. From encryption through to Data Loss Prevention (DLP) techniques, all help to better protect sensitive information.

“There is a danger that if fine after fine is given out by the ICO, the significance of the data breaches will be diminished. With the right education and technology in place, employees will begin to understand the impact of data loss, not only on the company, but also on the individuals whose information has been made public,” concluded Hart.

“The results of the survey are clear. Public leaders are calling for greater assistance on how they should manage and refine their data protection policies. Many ICO fines have been issued, but their purpose is often aggravating or misconstrued by those on the receiving end,” said Tim Holmes, Sustainable Gov.

“There is a growing acceptance that these fines are impeding the progress of an innate data protection culture. While the fines have often been successful at least in getting the message across, they are a decidedly blunt instrument, which can lead to conflict. Experts are therefore now calling for education to be prioritized instead, with strong policies set in place and all employees—from management level down—taught the benefits of keeping data secure and the risks of failing to act. A more self-regulating, holistic solution to the problem could then be forged.”

A whitepaper on the results of the survey can be found on the Sophos website: http://www.sophos.com/en-us/security-news-trends/whitepapers/data-protection-in-the-uk-public-sector.aspx.