View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Data Centre
November 8, 2012

Guest blog: Councils, NHS and police fined millions for poor data handling

Ross Parsell, Government and commercial account director at Thales UK, comments for CBR on public sector organisations paying over £2m in fines for information security infringements over the past 18 months.

By Cbr Rolling Blog

The news that the Information Commissioner’s Office has fined public sector organisations over £2m in the last 18 months has shown how basic lessons on information security are not being learned. A perimeter-based approach to security based around firewalls and defensive controls around the IT network is no longer sufficient. Organisations need to rethink their approach to information security and take care to classify and protect data itself according to the sensitivity of that information.

‘End-to-end information security’ is a useful catch-all term to describe a strong security posture. However, the public sector needs to consider the status of different types of data in order to take the steps to adequately protect that data. Data can be categorised in three ways for this purpose:

From a security standpoint ‘Data at Rest’, the inactive data physically stored in databases, spreadsheets, data warehouses and mobile devices is vulnerable. It is imperative that public sector organisations protect sensitive data against brute force attacks with strong encryption for when authentication methods like usernames and passwords fail.

‘Data in Transit’, is data transferred between two nodes in a network. In virtually all cases, the network cannot be trusted and the data must be protected with network encryption, supplemented by SSL certificates, Internet Protocol Security (IPSec) and other precautions where relevant. Finally there is ‘data in use’, data being used in an in-memory state. Sensitive data should be protected by application encryption and exposed on a need to know basis, encrypted as soon as possible and decrypted only when necessary. This selective approach can only be performed at the application level.

By classifying data rather than systems for different levels of protection, public sector organisations can protect themselves from the indignity and criticisms of security breaches, as well as the associated data breach financial penalties. The threats to data theft, both internal and external and by either human error or malicious intent are costly and dangerous. Government has a duty to protect this information and the Public Services Network is a major step to fulfilling this duty.

Ross Parsell, Government and commercial account director at Thales UK

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.