By Andy Harcup, VOP, Absolute Software
The annual CPS report, analyzed by Griffin Law, a UK litigation practice, revealed that 59 incidents were so severe that they were reported to the Information Commissioner’s Office (ICO) and potentially affected up to 1,346 people.
The CPS is hardly the first agency to struggle with device and data security, but the lack of urgency shown by the government over these persistent threats to the UK’s national cyber security is troubling. In the light of international concerns surrounding hacking and ransoms, not to mention the missing ‘papers’ included in this report from the ICO, can we be sure there aren’t more incidents that go unreported or undetected?
Cyberspace lies at the heart of modern society and impacts our personal lives, our businesses, and our essential services. A secure online environment is essential to principal public agencies like the CPS. However, some individuals and groups use cyberspace for malicious purposes, exploiting cyberspace to conduct illegal operations or launch damaging computer network attacks. More than ever, cybersecurity affects both the public and the private sector and spans a broad range of issues related to personal, organizational, and most notably, national security.
As stated in the annual CPS report, the period from January to March saw by far the largest quantity of severe personal data incidents, with 21 data handling incidents leading to loss of ABE and media discs, as well as an additional 18 incidents of unauthorized disclosure of case information, impacting a whopping 1,233 people in total.
By comparison, just 11 incidents of unauthorized disclosures of case information affected 56 people in the period of October to December 2019, 12 data handling incidents and unauthorized disclosures of case information impacted 34 people in January to March, and 23 people were impacted in April to June 2019 by 15 total personal data incidents.
In total, 1,463 of the total data breaches recorded over the entire financial year, were due to unauthorized disclosure of information, with 78 being considered ‘severe’. A further 143 of the total incidents were due to loss of electronic media and paper, and in 22 of these instances, the data was never recovered. Finally, the final 21 reported cases were due to loss of devices, including laptops, tablets, and mobile phones, although only one of these devices was not eventually recovered, and no CPS data was compromised as a result.
The Crown Prosecution Service oversees some of the most sensitive data imaginable, from confidential case files to personal details of witnesses and victims in criminal trials. Against this backdrop, these figures paint a worrying picture of the organization’s approach to data and device security, with many incidents appearing to put the safety of individuals at risk. The claim that ‘no CPS data has been compromised,’ in my opinion, requires further clarity.
The data reveals little follow-up action is ever taken and that every faith is placed in the encryption software installed on government-issued devices. What we know to be true, based on our data, is that critical security controls like encryption are prone to failure. So to assume that data is protected merely because a device has encryption installed is a bold assumption.
Moving forward, the CPS needs to up its game, with a much more rigorous approach to securing personal data. The key to this effort is ensuring that every mobile device or laptop is protected and retrievable so that it can be wiped or frozen in the event of loss or theft. Additionally, staff needs better training on how to reduce data loss incidents, to preserve the integrity and public trust in the CPS brand.
It’s vital that key government departments and criminal prosecution services take data security seriously. It’s not uncommon for a missing file or laptop to fall into the wrong hands, giving hackers and cybercriminals access to critical public data. Key to tackling this problem is the implementation of sophisticated and robust end-point security, providing IT professionals within the department with full visibility and control over their device: meaning they can freeze or access a laptop, file or device, even if it lands in the wrong hands.
In order to ensure a high level of security, organizations should take steps to quickly pinpoint potential threats and neutralize any cyber breaches as and when they occur with effective and resilient endpoint security. This should equip organizations with the ability to communicate, control, and repair remote devices beyond corporate networks as well as to measure the health of security control apps and productivity tools so that workers can safely stay productive.
About the Author
Andy Harcup, VP EMEA of Absolute Software
Andy Harcup has professional experience in cybersecurity technology sales and consulting that spans over 15 years. He helps clients understand how security solutions can support and protect their digital business whilst at the same time either saving or increasing revenues. The cyber-criminal community along with security technology solutions are constantly evolving, and helping customers navigate that ever-changing landscape to help secure their business is Andy’s ultimate goal.