Public sector research findings: leaving the door open to data breaches

We recently commissioned a piece of research* into the attitudes of UK public sector organisations (PSOs) towards information security. Over recent years, high-profile data leaks have brought a renewed focus on the security measures that these organisations have in place. Frontline defences are better than they once were, but this is not an area where we can afford to sit on our laurels. In this, the first of two blog posts, we look at the relationships PSOs hold with third parties and what this means for their digital defences.

All PSOs work with a multitude of third parties, from cleaning contractors to exam boards to private health clinics. They will all be party to an exchange of information that is likely to contain sensitive information and this is where the weakest link could break in the security chain. 90% of respondents in the survey said they rated information security as important when selecting business partners and third parties to work with. However, this means that one in ten doesn’t see it as important.

Our research showed that there is a disjointed approach to security among PSOs. It is possible that some are paying lip-service to security by only carrying out the bare minimum and not thinking beyond their own borders. 85% of respondents we spoke to stated they felt their organisation managed security threats well, but 38% admitted they didn’t have a strategy for their outbound communications. Without a policy on what information can be sent out of the organisation, PSOs are lining themselves up for information governance headaches further down the line.

The protection of data must be a joint responsibility between the PSO and all its third parties, even if the ownership remains with the PSO. Fully understanding the communication channels and the information that is shared will help protect against nasty surprises caused by assuming security measures are in place. Unfortunately less than two-thirds (63%) regard the managing of information exchange with external agencies as a joint effort.

Taken in its entirety, our research shows that the public sector has taken a step in the right direction when it comes to matters of information security... But there is still work to do. Clearly, some PSOs are still not taking the risks seriously or understanding the consequences of not putting adequate measures in place. These are the ones we are likely to hear about in the future and most likely for all the wrong reasons.

You can view the report here.

*Clearswift commissioned research into the attitudes of individuals who work in UK public sector organisations towards information security. In total, 277 people across 247 unique UK public sector organisations were surveyed, ranging from compliance officers and IT managers to C-level executives. The organisations that took part include the NHS, city/local councils, universities, trusts, central government and the police. The survey was conducted on behalf of Clearswift by Surveys in Public Sector (SPS), a division of Ingenium IDS. Ingenium is the UK’s foremost public sector demand creation and research organisation.