We've explored how data breaches are skyrocketing at government agencies in the US at the federal, state and local levels. Government agencies currently account for 7% of all data breaches and 43% of all breached records in 2016 in the US. This same trend is mirrored by governments all over the world.
Last year, federal departments in the Canadian government were responsible for 5,853 data breaches, though only 5.3% breaches were serious enough to report to the privacy commissioner. Among the most serious breaches, we see issues such as emailed documents, lost USB drives, stolen laptops and employees accessing files without authorization. In 2015, a cyberattack crashed federal government websites and e-mail for nearly two hours, re-enforcing reports that suggest cyberattacks are also “skyrocketing” in the Canadian government sector.
The National Audit Office in the UK recently released a report showing a dramatic rise in data breaches recorded by government departments. A total of 8,995 data breaches were recorded by the 17 largest government departments from 2014 to 2015, while only 14 were reported to the ICO. Breaking that down further, the GCHQ dealt with 200 cyber national security incidents per month in 2015, up from 100 per month in 2014.
The report points the finger at a serious lack of organization within and across government departments. There are 12 separate organizations in the centre of the UK government responsible for aspects of protecting information, There's also a whopping 73 teams (and 1,600 security staffers) covering security in central government departments. Overlapping responsibilities and roles have understandably created confusion.
“None of the departments we interviewed understood the specific roles of the various bodies involved, making it difficult to identify any single arbiter of standards or guidance.”
Outside of a lack of internal organization, which is fundamental to setting up effective security policies and controls, security requirements are not effectively implemented across all departments. For example, despite requirements to encrypt data, many local authorities lacked the budget to implement encryption. This increased the risk of unsecured endpoints accessing the Public Services Network (PSN) or being denied access to the PSN altogether, eroding the benefits of data-sharing on this network.
The NAO report notes that a new approach is needed within the government to provide clear principles and guidance on data security.
Just as we saw in the US, governments abroad struggle in creating a unified approach to data security when departments and agencies are managed independently.
Tasked with protecting data on reduced budgets, many agencies are also trying to do more with less. Government agencies need to choose tools that can tick off many boxes, from proactively searching out data at risk, automated alerts of potential security incidents, to remote capabilities to quickly remediate security incidents before they become data breaches. The endpoint is one of the highest risk access points in government agencies, and growing cloud use is exacerbating this issue. Absolute DDS can provide federal, state and local government agencies the visibility needed to regain control over data.