Digital First, Customer in the middle, Data lost?
There is a huge desire on the part of government to make our lives easier by giving everyone who wants it access to all public services through a single-sign on portal. In Scotland, this takes the form of the Citizen’s Account. This is, slowly, taking shape and now being used by a number of different public bodies to provide a one-point-of-access route into some public services. Edinburgh City Council has been a keen adopter and the idea that I (or indeed you), as a member of the public, will be able to access all public services from one entry point is an attractive one.
This will, in the vast majority of cases, benefit the ‘customers’, reducing the need to scout around various different websites to pay housing benefit, search for a job, find information on planning notices etc. That much is very welcome, but there are, of course, people who will wonder about the Big Brother aspects of all this data collection. However, I believe that, while it is essential that we have a free press scrutinising national and local government to ensure that they are not doing anything pernicious, all these data are of immense use in helping the powers-that-be plan ahead for the country’s future needs. I also understand that many different interest groups are consulted on much of these developments, and generally are supportive of what is being attempted.
That said, there are undoubtedly concerns, and not just about monitoring of citizens’ behaviour. A recent article in the local government trade press (the MJ) highlighted these issues, noting that while most attention is on the external threats (malware, viruses, hackers, etc.), the real threat to data security does not come from these misdemeanours but from the digital environment in which local government staff now operate”, or more specifically on the understanding that IT departments have of the “employee’s organisational digital footprint”.
The MJ article argues that as government becomes increasingly digital there will be more access across corporate firewalls and much more use of their own mobile devices by staff who are working remotely. Moreover, when someone leaves an organisation the potential for inadvertent security breaches is obvious. With the increase in the employment of contractors, partly as a result of reductions in permanent IT staff in the public sector, the likelihood of these problems increases. Knowing the extent and reach of the employee’s digital footprint becomes more difficult, and with the need to continue to keep the plates – specifically frontline government services – spinning, it’s easy for it to be ignored or forgotten…until a problem raises its head…
Yes, it is a real threat, but to suggest it’s the biggest threat is, perhaps, putting it a bit strongly - especially as I’m writing this on the day that the press reported that cyber attacks are costing British business £34BN per year.
Pat Brady, an expert on internet security, believes that while all threats are valid, the danger comes from concentrating on whatever is the latest exciting one rather than getting the basics right.
Human beings can only apply their minds to a few things at any one time and we have a tendency to focus on the new and shiny rather than the old and practical. Currently, there is a lot of attention on employees working at home and/or while travelling, using their own mobile devices ‘on the go’ to improve productivity. This creates potential (and real) problems with data security. To make matters worse, Pat says that the law in this area does not help organisations, whether public or private, because although an employer can demand and seize a mobile device if it is owned by the firm or organisation, they can’t do this if it belongs to the individual. It’s a complex legal area but at the moment the dice are loaded against the employer if an employee simply leaves with lots of the organisation’s data on his/her mobile. If they leave under a cloud, the potential risks are much greater. Information security is struggling to keep up here and it’s an issue that needs resolved.
However, this focus on the individual’s digital footprint detracts from the need to get the basics right. As Pat told me, “if you don’t maintain your firewall and other essential, old-fashioned security practices, you’re inviting trouble. If your vendors send you patches to update your server and you don’t apply them you’re increasing your vulnerability to the hackers who, as the UK government’s Head of Cyber Security explained at a conference a colleague was at least year, increasingly work as large-scale corporations, with sales targets and incentives”.
So, the message is simple. Don’t let the basics get lost in amongst the welter of new security issues that are constantly being raised and debated. And if you are encouraging remote working then make sure the mobile and other devices being used belong to the company, not the employees. These issues are not going away; it’s in everyone’s interests that we tackle them as effectively and as ruthlessly as the hackers do or at the end of the day we all lose, and that £34BN annual loss to UK business will simply grow and grow.
Gareth Biggerstaff, MD, Be-IT Resourcing