Public Services > Central Government

When it comes to protecting sensitive information, how much is enough?

Published 03 August 2015

Phil Davies, Director Network & Infrastructure Systems at Thales UK discusses the landscape for securing sensitive government information and the successor to the Public Services Network (PSN) framework post-budget and what it means for the technology industry

Summer holidays have begun, and public sector chief digital/information officers and IT Directors will be clearing their desks and checking their to-do Lists before a well-deserved break after surviving pre-election purdah, the arrival of some new ministers, and the July Budget.

Moods will be subdued by announcements of "large savings" required of unprotected department budgets, potentially 40% cuts by 2020.

For those supplying IT into government, the election campaign felt like a long wait to return to 'business as normal'. Fewer invitations to tender were released off the existing PSN frameworks during this period, and for PSN Protected services in particular.

Is there a backlog of demand awaiting the new Network Services framework to go live?

Is it a result of pre-election jitters, with government departments unwilling to contract new services whilst unsure of post-election budgets?

Is it an indication of more contract extension, as fewer of the large, monolithic contracts were broken up in the final year of the last administration?

Or is there a wider feeling that information security is no longer affordable for the public sector, in which case those charged with securing sensitive information will not rest easily on their sun beds in the weeks ahead?

It is of little surprise that public services are feeling the pinch, as the economy and deficit reduction remained central themes to the election campaign and subsequent budget. But beneath the surface what is more intriguing is the reduced demand for securing citizens' information.

The actual market for PSN Protected services (which protect sensitive official information) is roughly one seventh of government predictions when they set up the old PSN frameworks. The Government Security Classification policy changes reduced the number of classifications for Government information and, after the long-awaited simplification, the consequent reduction in demand was inevitable. But all this comes at a time of unprecedented cyber threat to sensitive official information and citizens' data.

The appetite for public data

NTT Com Security's 2015 Global Threat Intelligence Report released last month reported that the public sector has become the prime target for malware attacks in the UK, with 40% of all malware attacks targeting this sector in 2014. Data retained by these organisations makes them attractive targets for malware attacks.

We saw this only recently in the United States where the Office of Personnel management lost the personal data of over 20 million people, including some fingerprints and social security numbers... and subsequently also lost its director, Katherine Archuleta, who resigned as a result.

In the UK, decisions on the level of protection required now rest with each department's Chief Information Risk Officer. This can't be easy: getting it wrong risks not only unintentionally releasing sensitive information and Information Commissioner's Office attention but, potentially, substantial fines to be paid from an already stretched department budget.

While protecting information is recognised as being important, it often must compete for funding with other priorities such as using G-Cloud or adoption of Government as a Platform. But the two aren't mutually exclusive. With information held in the cloud, data aggregation requires more security, not less, and that it does not necessarily come at a high price.

Buying security on tightened purse strings

More security doesn't have to mean most costs if investment is strategic. Many departments fall in the trap of merely contacting their current suppliers when buying new services: seeking quick savings or extensions at lower process to avoid new suppliers' initial set-up costs.

They should, instead, communicate more widely their broader expectations. Can cyber security risks be managed differently? Are savings possible by taking a fresh look at the end-to-end service rather just components? This will ensure they receive a comprehensive package for their needs, rather than buying numerous bolt-ons, where they may end up paying for services they don't want or need.

Public sector CIOs must also ask themselves if services within current contracts could be delivered more efficiently (and cheaper) by a third party. Web and email boundary protection (or gateways) can now be procured separately as a service, allowing longer-term contracts to be re-competed without the security components that have hitherto only been available as part of a larger contract.

The public sector must also broadly consider if each department's requirements are really unique. Not knowing what is being built elsewhere will only prevent CIOs from exploiting other public sector department investments. Scaling-up an existing service can be cheaper and easier for suppliers, rather than building another similar design. Services can be transitioned sooner too, making savings for both parties.

Finally, it is widely reported that many staff in IT departments lack confidence in using both the G-Cloud procurement framework and cloud computing platforms. Worries over security are proving to be a barrier to adoption. But some cloud providers are now making the use of trusted remote access by IT departments possible, utilising the internet, accredited gateways and existing PSN connectivity.

There's no doubt that the public sector has had an unsettled start to the year for procuring IT services. But with the cyber threat demonstrating its potential across the pond, CIOs and IT directors must not compromise security and become merely an expensive, inefficient bolt on.

Strategic security investments can save time, stress and money. So, with business as usual, public sector IT decision makers must move on from the year's uncertain beginning and make sensible, strategic decisions to ensure that the 'security afterthought' doesn't become a 'security aftermath'.

Phil Davies is Director, Network & Infrastructure Systems at Thales UK

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.