29.10.13
Data breaches ‘endemic’ – but blame management, not technology
IT security breaches in the public sector can virtually always be blamed on management failings, not the technology, according to Socitm.
The public sector IT managers’ body notes that “security breaches reported on the Information Commissioner’s Office (ICO) website include cases of incorrect disclosure, physical loss or theft of storage devices, misuse of old documents as templates, errors in handling fax and e-mail, sending documents to the wrong address, and even papers being stolen from a pub…There is not a single example of a technical failure among them.”
This support Socitm’s own research, it says. Martin Greenwood, programme manager for Socitm Insight, said: “Socitm has been arguing for some time that the balance of the ICT manager’s attention should be shifting somewhat away from technology and towards the management of information. Part of this is managing its security. Unfortunately justifying the cost and resources for this can be a challenge, because with a virtual asset like information, it is not always easy to see when things have gone wrong.”
Public service organisations have been “doing well” at tackling technical vulnerabalities but less well at changing beaviours, according to the briefing report, ‘Information governance: not up to scratch?’
The report praises Chelmsford Borough Council for its proactive and focused approach to security breaches, which Socitm said are unfortunately “endemic throughout the public sector”.
In the last three years, there has been a significant increase in the number of public sector authorities appointing a senior information risk officer (SIRO). But only just over half of respondents to Socitm’s IT Trends survey say they have an information governance function in place, and only in the area of disposal of information assets do more than half of them have a policy in place.
Socitm says: “Tough security requirements set out by the Cabinet Office as a condition of connection to the public services network has focused minds in most public sector organisations on ensuring that their technical infrastructure and policies are watertight. This may have led to the more obvious risks around physically handling information assets receiving less attention than they deserve.”
Tell us what you think – have your say below or email [email protected]