More than half of data breaches in the UK public sector originate from someone who has access to the systems, with loss in many cases being accidental or due to human error, according to the Public Sector Data and Information Security Survey.
Data loss due to internal access could be explained to an extent due to multiple data ownership. Over 80% of respondents claimed to be ‘data owners’, who can authorise or deny access to certain data. The ‘data owners’ are responsible for accuracy, integrity and timeliness, but 19% of data owners didn’t know how many other data owners were there within their organisation.
One of the respondents commented: "Data owners determine who has what level of access but rarely do so and often delegate to IT."
GovNewsDirect conducted the survey at the end of 2015 in collaboration with access rights management firm 8MAN.
The survey covered 600 individuals from the entire public sector, with 68% of them belonging to local authorities, healthcare and education; 28% of respondents were either at director or C-suite level, and 20% had either ‘information’ or ‘IT’ in their job title.
The survey was undertaken to enable public sector employees to compare their practices with other organisations and identify specific areas of concern, with the advent of the new the General Data Protection Regulation (GDPR) across the 28 EU member countries.
A part of Article 8 of the European Convention on Human Rights, the GDPR replaces individual data protection acts across the EU, and could be a challenge to data owners and practitioners.
The regulation seeks to ensure that the data of EU citizens is not lost, transferred to third parties, or subjected to illegal use. It proposes substantial fines for serious cases of data breach or mismanagement.
The survey revealed that 65% of the respondents have serious concerns regarding data security within their organisation, with simple loss of data and errors of staff being the biggest concerns (60%), followed by compliance and IT system failures (40%).
External hacking was a concern for more than 35% of the respondents, while the least concern was about denial of service by hackers.
IT operating costs, cloud security, theft of laptops, lack of staff training, and failure of the staff to follow simple procedures were a few more concerns cited by the respondents.
According to the survey, 60% said data security lapses in their organisations happened due to errors of staff, while 40% said the breaches were because of simple loss of data.
Nearly 75% said they intend to improve data security by tightening procedures.
The annual Information Security Breaches Survey 2015 undertaken previously by PricewaterhouseCoopers on behalf of the UK Government found that breaches in large and small organisations have increased last year from 2014.
90% of large organisations and 84% of small businesses reported that they had suffered a security breach, up from 81% and 60%, respectively, in 2014. 75% of the large and 31% of the small organisations suffered staff related security breaches in 2015.
The average cost per breach in a large organisation also went up to the range of £1.46m – £3.14m, compared with £600,000-£1.15 in 2014.