IT security

At risk: are UK public sector bodies prepared for data breaches?

By: Stuart Reed, Senior Director at NTT Com Security
Published: Thursday, August 27, 2015 - 14:13 GMT Jump to Comments

The UK public sector now tops the table as the industry most likely to face malware attacks, so what do organisations need to be doing better?

The public sector is now the number one target for malware attacks in the UK. This is according to our latest Global Threat Intelligence Report (GTIR), an analysis of over six billion security attacks in 2014.

The report shows that 40 per cent of all malware attacks in the UK were against public sector organisations – three times more than the insurance sector (13 per cent) and fives times that of the media and finance sectors (9 per cent).

Given that public sector organisations collect, store and use large quantities of highly valuable and sensitive data, with personally identifiable information (PII) like healthcare records, these figures really shouldn’t come as any surprise.

While the threat level may vary from organisation to organisation, they all have information that would be of interest to cyber criminals looking to take advantage of weaknesses in public sector defences.

The GTIR figures are further reinforced by research from Iron Mountain this year, which revealed that 40 per cent of public sector bodies have been hit by a data breach.

Staff are too busy to cope, due in part to the government’s digital transformation strategy. Rather more worrying is the 60 per cent who say they have lost important documents and the one in four who admit they put potentially sensitive data at risk every day.

According to Soctim research earlier this year, cloud computing is already being used or piloted by 90 per cent of local public service organisations, including local authorities and other local public services and voluntary sector organisations.

While many may only have their ‘toe in the water’ at this stage, cloud services can be an attractive way of reducing costs and increasing efficiency for public sector bodies. Many also cite greater scalability and flexibility as perceived benefits.

Putting information online and adopting cloud services is not without risk, however, as the figures suggest. Couple this with government cuts as part of recent austerity measures and a lack of security skills in the industry as a whole, you have a ‘perfect storm’ for potential data breaches.

Figures from the Information Commissioner’s Office (ICO) reveal that data breaches have cost local government £2.3m in fines since 2010, with local government among the worst offenders for protecting confidential information, eclipsed only by the NHS.

Whether it’s government cuts, skills shortages or human error, public sector bodies need to up their game and accept that they are highly valued and increasingly popular targets for cyber attackers.

Like all organisations, whether public or private, they need to be doing the basics well. If you’re not doing the security basics right – proper patching and configuration, network segmentation and active threat management – then you are exposing yourself and confidential data to unnecessary risk.

The other question to ask is whether you are prepared for a security incident? Today it’s no longer a case of if, but when, and every organisation needs to be ready regardless of sector or size.

According to the GTIR, 74 per cent of organisations do not have a plan in place, which suggests that many are yet to see the value of an incident response plan.

Deploying one might seem expensive and time-consuming, but when you consider the time and money it takes to mitigate the damage from a data breach, it’s time – and money – well spent.

As the public guardians of highly sensitive information, public sector bodies must be ready to take responsibility for the vast amount of data they have access to and understand that, when it comes to security, there are no short cuts and no opt-out clauses.

Using a trusted third party can plug gaps in security resources and knowledge and help local authorities and healthcare providers to be better prepared and more responsive.

The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of The Information Daily, its parent company or any associated businesses.



Outdated infrastructure and an increasingly fragmented market threaten the future of technology-enabled integrated care.

County Durham voters back devolution in the North-East, Sir Digby Jones considers run for West Midlands mayor…

The recent launch of The Mayoral Tech Manifesto 2016 on London’s digital future, sets out a clear agenda…

The manufacturing industry is currently facing scrutiny from parties concerned for its survival. Far from facing…

Almost a year ago, I made some predictions for what would take place in government and public sector customer…

Sheffield, Warrington and Doncaster announce cuts, Lincolnshire is held to data ransom, fight begins for West…

Working for an education charity delivering numeracy and literacy programmes in primary schools, I’m only…

Northamptonshire County Council recently received the maximum four star rating from Better connected after putting…

Historically, the entrance of new generations into the workplace has caused varying levels of disruption. The…

Following another commendation for digital services, Surrey County Council's Web and Digital Services Manager,…

We cannot carry on spinning the roulette wheel that is cyber security, knowing that the “castle and moat”…

This week David Cameron wades into row over £69m of cuts planned by Oxfordshire CC; Stoke on Trent plans…