In 2014-15, the UK Government breached personal data security 9,000 times in a year. The National Audit Office revealed the 17 largest departments recorded 8,995 data breaches but that only 14 were reported to the Information Commissioner.
The knock-on effects on citizens can be enormously serious, such as identity theft, fraud, and confidentiality infringement. It is a shameful record and a frightening indictment of data handling practices in the public sector. The first duty of the public sector should be to serve the public, but the careless practices and inefficient procedures exposed by these security breaches indicate that the safeguarding of confidential personal information is not being treated with the priority the law – and the public – demand.
The sheer scale of these types of data losses is a serious warning to all organisations that it is time to put their houses in order – or face the consequences. Clear rules and guidelines are already in place regarding the gathering and stewardship of data in both the public and private sectors; some are long-established and some are a response to recent high-profile security breaches. There are also clear and increasingly tougher penalties for breaching regulations and increasing awareness regarding the consequences of poor practice in this area.
The Cross Government Actions Minimum Mandatory Measures from the Cabinet Office go one step further in placing stringent requirements on government departments and agencies to have Forensic Readiness Plans in place. The new measures are designed to better manage information risk, protect the personal information of citizens and minimise risk surrounding authorised access to protectively marked information.
The term ‘forensically ready’ relates to the ability to forensically examine your data so that you know;
This level of security can’t be handled with simple intrusion detection tools. What’s needed is a comprehensive cybersecurity platform to deliver the Privacy Impact Assessments as required by the Cabinet Office’s new measures.
A simple litmus test can help you understand whether you’ve made your business forensically ready and compliant with these new measures. Ask yourself these three simple questions:
The ability to audit your data will enable you to track the flow of sensitive data within your organisation and ensure that only authorised movement occurs. For example, employees are going to move around an organisation internally.
When the unauthorised movement takes place, this can be flagged and corrective action can be taken. Have you costed out the financial price of non-compliance with data reporting requirements, e.g. increased legal fees related to the disclosure of an increased number of custodians? Investment in an effective data audit solution can reduce long-term spending by eliminating the need for expensive third-party consultants.
Are you able to manage the risk to your reputation if a data breach occurs on your watch? Public sector organisations handling data relating to the most vulnerable in society carry a burden of trust. Private-sector organisations that suffer a data loss are likely to pay the price in loss of customers and a falling share price; public-sector organisations may not suffer such tangible consequences directly, but the risk to their reputation and governance is as real.
To have a robust Forensic Readiness Plan in place, organisations and departments need to be able to gather evidence on potential criminal activity or disputes legally and without causing disruption to day-to-day business.
This must also be done cost-effectively and in proportion to the incident – don’t go spending millions of pounds of taxpayers’ money on a simple data access request. On the other hand, don’t scrimp on spending if it’s a major criminal investigation.
Key elements of forensic readiness:
After submitting an enquiry, a member of our team will be in touch with you as soon as possible
Your information will only be used to contact you, and is lawfully in accordance with the General Data Protection Regulation (GDPR) act, 2018.