Technology
Keeping Data Safe in the Public Sector
If ever a cyberattack had an appropriate name, it was the global “WannaCry” ransomware attack in May 2017, which would have surely left NHS finance managers on the brink of tears. The attack, which is thought to have originated in North Korea, disrupted more than 80 hospital trusts and 8 per cent of GP practices. It locked computer screens displaying Bitcoin demands. Although no ransoms were paid, the estimated cost to the NHS was £92m, and 19,000 appointments were cancelled.
Understandably, the WannaCry attack made the news headlines, but IT managers in both the private and public sectors will tell you that aggressive cyber-attacks are hardly unusual.
The figures in the official Cyber Security Breaches Survey are alarming. According to the survey, in 2022, 39% of UK businesses had identified a cyberattack, and these are just the ones uncovered in the research. Of those reporting cyberattacks, 31% of companies and 26% of charities estimated they were attacked at least once a week.
For a business, a cyberattack can result in financial losses and, ultimately, bankruptcy. In the public sector, the stakes are even higher. As well as the financial impact on the public purse, an attack can halt vital services and compromise confidential data that may threaten national security.
Protecting public sector data and keeping systems secure is a never-ending battle. A malicious hacker only needs to be successful once to wreak chaos. To keep public sector data safe, constant vigilance and adherence to best practices are essential.
What data is used in the public sector?
It may be quicker to ask what data isn’t used in the public sector. Data is used to inform policy, keep the population safe and healthy, measure academic performance, ensure correct taxes are levied and the right benefits paid, and so much more. The value of data in the public sector cannot be underestimated.
Where does the public sector source data?
Some examples of data used in the public sector include:
The census and other demographic surveys: Knowing who lives in the UK is vital for policy development.
The Office of National Statistics and The Bank of England. These are instrumental sources for analysing economic data. Measuring GDP, inflation rates, and employment figures helps governments make informed decisions about fiscal and monetary policies.
NHS. Accurate patient records are required to treat individuals, but the data collected by the NHS is also used to monitor disease outbreaks, check vaccination rates, and assess the effectiveness of public health in general.
Education. Pupils are assessed throughout their school journey through SATS, GCSEs, and A Levels. Schools are evaluated through Ofsted inspections. The information gathered informs decisions about funding and curriculum development.
Environment. Air and water quality is measured, and the Met Office issues weather warnings, which may affect the running of the country.
Transport. Data on road and rail usage are collected to help plan infrastructure policy. The DVLA controls the issuing of drivers’ licences and MOTs, checks that drivers are insured, and collates penalty points for driving offences.
Law enforcement. The police and the courts have in-depth data on offenders, victims, and all matters related to the prevention and prosecution of crime.
Social Services. The government has data on social security claimants, people receiving state pensions, care homes, and all those who work in or use social services.
HMRC. The data at HMRC includes the earnings and tax/NI paid by everyone in paid employment.
Security services. The data compiled by GCHQ, MI5, MI6, and other agencies is understandably sensitive.
The list above is by no means exhaustive, far from it. But it does give an illustration of the sheer volume and diversity of the data managed by the public sector, as well as its sensitive nature.
How does the public sector manage data?
In an ideal world, a defined data management strategy would encompass the sourcing and use of all public sector data. With so many separate (and very different) organisations involved, this is a panacea that IT managers would love to realise.
While a centralised data programme is currently unrealistic, the public sector is working on setting common standards around data governance. Defining best practices for data management and accountability for data quality and security is an important step. Aligned data management practices should start with standardised data collection methods and processes.
The biggest step forward is the maturity of cloud-based data storage. Moving from stand-alone servers to secure data centres took many years, but the transition has succeeded in both the private and public spheres.
As you would expect, public sector data is now held in vast, dedicated data centres (the cloud). The next challenge is a standardisation of where in the cloud to store data.
There have been debates around the use of UK government-owned and managed data centres. Aside from data affecting national security, most agencies and public bodies remain responsible for their own data.
Of course, there are always efforts to avoid the creation of silos and disjointed strategies. Government Cloud (G-Cloud) is a longstanding UK government initiative created to ease the procurement of cloud services by public sector organisations and government departments.
G-Cloud comprises a series of framework agreements with cloud services suppliers (such as Microsoft) and a listing of their services in an online store, the Digital Marketplace. These enable public-sector organisations to compare and procure those services from the private sector without engaging in a complete review process, which can be time-consuming and challenging to navigate without the right expertise.
The government’s National Data Strategy also sets out the government’s ambitions to improve data use in government and the importance of sharing data to deliver better services and outcomes for businesses and people.
How does the public sector ensure data privacy and security?
The government and individual public bodies manage and control data in several ways to keep it safe and secure.
Data protection laws define how data must be collected, used, and stored. Until the UK departed from the EU, the principal legislation was the General Data Protection Regulation (EU) 2016/679. Following Brexit, the UK’s interpretation of GDPR was incorporated into domestic law under the Data Protection Act 2018. This Act sets out a framework of rights and duties to safeguard personal data. In addition, in the UK, The Privacy and Electronic Communications Regulations (PECR) covers people’s privacy rights concerning electronic communications.
Data classification: Data is classified by sensitivity and importance according to the government’s security classification policy (GSCP). This is not a statutory scheme but operates within the framework of domestic law. Within each classification tier, information is protected according to a baseline framework.
Data access: Access to sensitive data is restricted, usually by role-based access control (RBAC) or access and identity management (IAM) systems.
Cyber hygiene: Administrative policies ensure everyone in the organisation is following simple safety measures, from the embedding of solid antivirus software to backing up data, installing software updates, and regularly changing passwords.
Training and awareness: All public sector employees receive appropriate training on data privacy awareness and best practices, especially around spam and how it can be malicious.
Encryption: Encryption techniques protect data both in transit and at rest.
Compliance audits: Periodic audits and compliance checks ensure data handling practices do not breach legislation and align with established data policies.
Incident response: Incident response plans ensure data security breaches and cyberattacks are addressed promptly to mitigate damage.
Transparency, accountability, and disclosure: The government is accountable to the public and is responsible for helping the public sector secure its data. This includes the disclosure of data breaches and ensuring individuals can exercise their data privacy rights.
International data transfers: The UK GDPR contains rules on transferring personal data to receivers outside the UK.
Regular review and improvement: Cyber threats are evolving, which means regulations must stay ahead. Public sector organisations must regularly review and update their practices accordingly.
Public sector data protection requires a multi-faceted approach that combines the legal framework (data protection laws), technological data protection solutions, staff training, and rigorous ongoing monitoring and adaptation as new challenges and threats emerge.
How at risk is the public sector to data breaches?
Today, the public sector has become a favoured target for cybercriminals. The Electoral Commission recently had UK voter data hacked – names and addresses of 40 million voters were exposed.
Ransomware (a type of malware that prevents users from accessing devices and stored data, usually by encrypting files) is the top threat to governments and other public sector bodies.
However, not all data breaches occur from unlawful attacks. A compromise of data security can happen accidentally or through negligence. Three police forces have all recently made headlines for compromising personal information. In Northern Ireland, the personal details of more than 10,000 police officers and staff were inadvertently published online.
Data breaches are a real risk as the public sector digitizes its services. The addition of cloud, mobile, social computing, IT environments, and remote working has expanded an organisation’s attack surface. The public sector is under more pressure than ever to keep its IT systems secure.
The challenges of keeping data safe and secure in the public sector
The exponential growth of data, the sheer size of the public sector, and the fact that it comprises so many different bodies pose numerous challenges to data security and safety.
The biggest challenges around data protection in the public sector include:
Overcoming outdated data infrastructures and silos
An increasing number of open vulnerabilities
Human errors
Skill gaps
Regulatory barriers
A lack of leadership and accountability
The advanced technology landscape
Organisational culture that is not conducive to digital innovation and change
How can solution providers help the public sector secure their data?
Public sector bodies can ensure best practices are in place and build cultures where employees are aware of cybercrime risks. Many agencies have developed advanced strategies, employing security experts to prepare robust defences. However, cybercrime constantly evolves and adapts. The defenders must always stay one step ahead.
In the high-stakes game of cat and mouse, expertise from the private sector is essential. Cybersecurity is one of the fastest-growing sectors of the UK economy, and this year, it is expected to account for a revenue of £8.09bn.
The public sector needs to tap into this investment and expertise to ensure the brightest minds are employed in helping the public sector secure its data and systems.
The public sector is a vital market for private sector cyber security firms, so how do businesses and public sector bodies link up? We recommend reading the GovNet guide to selling cybersecurity solutions to the public sector.
And, importantly, attend the DigiGov Expo 2024
DigiGov Expo 2023
If you’re dedicated to safeguarding the digital landscape of the public sector, join us in an exploration of the latest advancements, strategies, and solutions in cybersecurity. Engage with experts, learn from real-world case studies, and fortify your organisation against evolving threats. Together, let's ensure a resilient and secure future for the entire public sector.
As well as an unmissable opportunity to learn and discuss the current state of cyber security in the UK and beyond, it is the place to network, make contacts, and build relationships with people in the industry. This is where private and public sectors come together to protect our infrastructure, data, and security.