14.12.17
Staff are ‘weakest link’ in cyber security, expert warns
The human error of council employees is a major threat to data security, an expert has warned.
Speaking at the National Association of Local Councils’ conference yesterday, Andy Hall, cyber and technology specialist, said that over half of all of local council data breaches are due to employee error, such as leaving an unencrypted laptop on a train, or sending an email containing sensitive information to the wrong email address.
“Staff are always the weakest link,” he said.
Cybercrime is growing by an “astronomical amount”, said Hall, with over half of all reported crimes estimated to be cybercrimes - over 7,000 each day.
Protecting personal data is a top priority for local councils as they hold large amounts of sensitive and personal data, making them vulnerable to cybercrime or data breaches.
Hall explained that in the last 12 months, over a quarter of local councils have been hit by ransomware attacks.
The new General Data Protection Regulations (GDPR) are due to come into force from May 2018, and Hall advised that councils need to make improvements to the way they collect and store personal information.
Councils must comply with the “right to be forgotten”, although Stacey Egerton, senior policy officer at the Information Commissioners Office (ICO), clarified that this is not an absolute right where services are still being provided to an individual.
Hall said that there should be clarity about how data travels within the local authority and that a data protection officer should always be appointed to ensure personal information is kept safe.
When appointing a data protection officer internally, Egerton warned of the conflict of interest that this may pose.
She explained: “If they're in a position where they're making any kind of decisions about the processing of personal data then it’s likely that there’s probably going to be a conflict of interest there.
“It’s really difficult for us to say yes or no to a particular position being suitable for a data protection officer or not, it needs to be considered on a case by case basis.”
Hall also advised that councils review their relationships with IT service providers and confirm that they are also compliant with GDPR, but cautioned that outsourced service providers often have limited responsibility for data.
The responsibility lays with the council, and data breaches could see fines of 4% of annual turnover, depending on the severity of the breach.
“Remember, there is no absolute prevention against cybercrime, but according to a recent survey cybercrime could be stopped by adopting some basic form of risk management,” Hall concluded.
Top image: Hanieriani
Have you got a story to tell? Would you like to become a PSE columnist? If so, click here.