The government has repeated its assertion that it has made a “staggering amount of progress” on data security, in a year when the records of millions of people were reportedly lost.
The "staggering progress" claim was made in November by Tom Watson, the junior minister responsible for data security, but was later questioned in parliament, with Conservative MP Francis Maude asking for evidence. Watson said in a written answer to MPs last week that the government had provided security training for thousands of public sector staff, and encrypted tens of thousands of laptops.
Remember these security lapses?
Data protection is a “top priority” for the government, Watson wrote. The key areas of improvement were the publishing of data breaches in annual departmental accounts, “increasing accountability with senior information risk owners”, widespread training, and better use of technology.
All public sector staff could access an online training scheme, Watson said. There is also departmental training, including training for a million NHS staff. A year after HM Revenue & Customs lost the data of 25 million individuals, 90,000 HMRC staff have been educated on data security.
Watson was also keen to stress that the government understood the need to have the right security technology backing up its policies and training, “to minimise the likelihood of data losses”. In the Ministry of Defence, for example, the data on 30,000 laptops has been encrypted, he said.
Encryption “is now the norm”, Watson said. The government also restricts access to removable devices and runs network penetration testing.
Eric Domage, security research manager at IDC, said the changes were a good sign: “At last, somebody in the government has understood that security depends on the users, and training has to be good."
“Training is expensive, but it’s vital. It’s the last friendly option, and you have to take it. If you still lose data, then you have to do a forensic investigation and punish those responsible. No one wants another HMRC.”
Graham Cluley, senior technology consultant at IT security firm Sophos, agreed the changes were “better late than never”.
But instead of encryption being the norm, “any sensitive data needs to be encrypted”, he said, adding that the passwords "need to be strong”.
The government also needs to monitor where its data is, and control it access using data loss prevention software, both Domage and Cluley said. This would prevent certain files from being put onto removable devices, or make sure they are encrypted automatically first.
“Ultimately most people think about convenience and take short cuts," said Cluley, "so you have to have the technology in place to back up the rules."