The National Audit Office (NAO) has produced a very interesting report – Protecting Information Across Government - on the subject of data security within government departments and how effective it is.
Ultimately, the Prime Minister has the responsibility for ensuring the security of the United Kingdom government. “She is supported in this by the Cabinet Secretary, who chairs a permanent secretary committee which sets the overall direction and strategy for government security. Across departments, responsibility for information security lies with the respective ministers, permanent secretaries and their management boards”.
So, it is interesting to get this report which assesses the effectiveness of the work done by Permanent Secretary Committee. First of all, the statistics – there were:
200 cyber national security incidents dealt with by GCHQ per month in 2015, up from 100 per month in 2014 8,995 data breaches recorded by the 17 largest departments in 2014-15 £300m is the limited government estimate of annual spend on security in 34 departments. Actual costs are thought to be ‘several times’ this figure 12 is the number of separate organisations in the centre of government with responsibility for aspects of protecting information £28 million estimated annual government expenditure on external IT security support £200 million to £400 million savings estimated per year, by 2014, from adopting the Public Services Network (PSN), as outlined in the 2011-12 business case. Actual PSN savings in 2014 were £103.4 million. No further savings are expected 73 is the number of teams covering security in central government departments 1,600 number of protective security staff (information, physical and personnel) in central government departments.It is the second figure, the 8,995 data breaches that is most relevant because 6,038 (67%) were incidents recorded by HMRC of which 3 were reported to the Information Commissioners Office (ICO). HMRC’s data for incidents recorded by the department but not reported to the ICO includes 6,000 minor incidents that potentially had an impact on customers but were not managed centrally by the department.
The interesting word within this is “minor”, 6,000 minor incidents. In the scale of things, these may be minor compared with national security and may involve information being sent to a wrong address. However, each breach is important to the individuals concerned.
The full report can be found here.
