Research by Six Degrees Group (6DG) has found what is claimed to be a significant gap in data security protection among local authorities (LAs) in the UK. More than half, 55pc report breaches of ‘official’ data in the last two years. 6DG’s Freedom of Information request, sent to all 433 UK LAs, found that 60pc of LAs don’t know how much sensitive ‘official’ data they hold, or where it is kept, with one authority suffering 213 data breaches in two years.
Although 34pc said they had suffered no data breaches over that period, these statistics suggest that UK councils lack knowledge of security measures and are unaware of the options available that would both enable and improve the protection of their ‘official’ data, claims 6DG.
The 6DG research has further revealed that 66pc of LAs are unable to report on how much of the data they store is sensitive and, if it is, how it should be managed in relation to the new CESG ‘official’ security classification guidelines. The new security classifications (official, secret and top secret) were introduced by the government in 2014 to replace the Impact Level (IL) ratings. The introduction of the new classifications seems to have caused some confusion as many of the LAs appeared unsure of the mapping from ‘IL2/IL3’ to ‘official’ which is likely reflected in their data governance plans.
There is also a lack of clarity surrounding the whereabouts of ‘official’ data, with 61pc of respondents unable to say whether theirs is held internally or externally. Only 2pc reported that at least half their ‘official’ data was held in the Cloud, with 37pc storing the majority of their data ‘on-site’.
Audit
The research suggests that over half of UK councils are struggling to implement measures that will enable them to optimise, enforce and measure data security. When asked about their approach to security audits and their use of accredited security consultants, 45pc of LAs revealed that they had no record of whether a security audit had taken place in the last two years. Of those that had completed audits, there was a marked disparity between the frequency required over a two year period. When asked whether they had used an accredited CESG consultant as part of their security compliance strategy in the previous two years, over 60pc of respondents had no record of using one at all, with 39pc using the CESG Listed Advisor Scheme on fewer than five occasions in the same period.
Campbell Williams, Group Strategy and Marketing Director at 6DG, a data centre and infrastructure provider, said: “This insight reveals a huge gap in approach within LAs across the UK, with a worrying majority lagging in their understanding of the actual position they are in regarding data security, let alone bringing protection up to standard. We see less than half of them classify their data to an officially recognised standard and have regular audits in place to protect their data; this small percentage appears to be in a reasonable position as they aren’t suffering breaches. The rest are struggling – breaches are commonplace – and what is equally as worrying is the serious lack of insight they have into their own situation. These Authorities need to act very quickly or more sensitive public data will be lost to potentially criminal sources.”
*Data sample: Freedom of Information Requests sent to 433 UK councils, research completed by March 2015. Replies received from 302.
