Why lack of encryption is putting public data at risk

Jon Fielding, Managing Director, EMEA Apricorn, explains what public sector organisations need to do to avoid breaches and losses by properly securing both data and device

Governments are shrouded in privacy, but keeping private information private, is a growing challenge for the public sector. State secrets aside, government departments hold vast troves of data on its citizens, all of which are highly valuable, both to the owner, but also to any threat actor looking to benefit from getting their hands onto it.

Whilst government departments continually look to improve their data security, the biggest risk tends to be that of the insider, through accidental loss and theft of devices which can result in a breach of data.

Breach reports on the rise

In fact, Apricorn announced findings (Oct 2020) from Freedom of Information (FoI) requests and data from annual reports of 17 public bodies. The responses indicated that government departments had reported thousands of personal data breaches with numerous notifications to the ICO between 2019-2020.

The Driver and Vehicle Licensing Agency’s (DVLA) annual report and accounts 2019 to 2020, for example, revealed it had submitted a total of 181 notifications to the Information Commissioner’s Office (ICO) in the past year alone. Additionally, FoI requests submitted to HM Passport Office (HMPO) disclosed that between 1 August 2019 and 31 July 2020, the Office of the data protection officer (DPO) received 1,291 Data Incident Reports in relation to HMPO, 1,280 of which were assessed as Personal Data Breaches.

These departments are dealing with thousands, even millions, of records containing personal data or sensitive information. Whether these are minor breaches that required no further action, or not, it is clear that more needs to be done and departments need to be considering the tools necessary to bring these numbers down.

According to the ICO’s Annual Report 2019-2020 there were 11,854 personal data breaches reported to the ICO in 2019-20 and this accounts for only those that require notification. For instance, the Home Office Security annual report noted a huge 4,204 incidents were recorded in 2019-20, but just 25 were highlighted as particularly severe meaning that the ICO had to be notified.

With so many breaches from within the government, more needs to be done to address the security of its data. There’s a pressing need for digitisation across the sector, to increase the efficiency of workflows and processes that involve the storage, management and backing up of information. Current levels of security are not sufficient to safely support new digital ways of working – particularly with so many employees accessing systems, networks and applications remotely.

Essential encryption

For government departments that are responsible for sensitive data and intellectual property of countless taxpayers, corporate-approved, hardware encrypted storage devices should be provided as standard. Encryption is a must to ensure that, whether these devices are lost, stolen or forgotten, the data on them is inaccessible should they fall into the wrong hands. Businesses must accept the need for digitisation and the benefits it delivers to storing documents, online backups, document management and remote working. The process is faster, more efficient and, ultimately, safer than offline equivalents with the right controls in place.

Encryption can often be side-lined by other security practices, and whilst many businesses are now encrypting data held on mobile devices and removable storage devices, research from Apricorn at the beginning of 2020 into the implementation of encryption technology within organisations found that many have no further plans to expand encryption on USB sticks (38%), laptops (32%), desktops (37%), mobiles (31%) and portable hard drives (40%).

Government departments need to have visibility of all devices accessing the network. Security policies that dictate what equipment employees can use can be tricky to enforce and could impede productivity and whilst security controls such as firewalls are essential, these don’t mitigate against employees misusing or losing devices.

Hardware encryption offers much greater security than software encryption and PIN pad authenticated, hardware encrypted USB storage devices offer additional, significant benefits. Being software-free eliminates the risk of keylogging and doesn’t restrict usage to specific Operating Systems; all authentication and encryption processes take place within the device itself, so passwords and key data are never shared with a host computer.

By deploying removable storage devices with built-in hardware encryption, government departments can roll this out across the organisation, ensuring all data can be stored or moved around safely offline. Even if the device is lost or stolen, the information will be unintelligible to anyone not authorised to access it.

Encryption is specifically recommended in GDPR Article 32 to protect personal data, as well as in Article 34, which details the reduction in obligation for those who have suffered a breach where the data in question is encrypted. Public bodies should be taking encryption seriously, and data should be encrypted as standard. Encryption is a key component within the compliance ‘kit’, not only reducing the chance of a breach but mitigating the potential financial penalties. Government departments should research, identify and mandate these encrypted devices to avoid the risk of a breach and being fined for non-compliance.

Employee awareness

Further to this is the need to educate employees on security best practice, to ensure they follow the necessary policies and avoid putting data at risk unnecessarily. Employee education was singled out in a recent Apricorn survey, by more than 30 percent of respondents as being the biggest area where companies needed to make changes to improve cybersecurity. Public sector bodies must enforce basic security hygiene, and must monitor how data is processed, stored, retrieved and deleted in order to remedy any shortcomings.

Education plays a crucial role in data security and employees need to be provisioned with the technologies and processes to protect their assets. Data must be encrypted, passwords must be protected, and rules must be put in place and enforced to restrict and limit employee access to only those systems needed, rather than open access to the whole network.

The FoI research also highlighted that some government departments could not easily and efficiently access the information on data breaches had been party to. This process needs to be managed more effectively by the departments concerned so that where the data resides, and whether it has been put at risk, is well documented, while information stored in a central database is easily accessible by those authorised, and not require multiple days to recover.

If government departments want to get their data security in order, encryption needs to be at the forefront of their strategy to ensure data is secure wherever it resides.