Head in the cloud(s)
The clear take away from this is that IT upper management in general have no fucking clue.
Half of UK public sector IT chiefs think the data they're responsible for protecting is less valuable than private sector information, according to a survey by antivirus firm Sophos. Just over 50 per cent of 420 senior managers quizzed by Sophos agreed with the statement: "The data held by my organisation is less valuable than …
Given the public sector have lots of statutory powers to get (accurate) information that is very sensitive then the bods in charge are being a bit thick (par for the course as go to the "top").
Most of my private sector data is typically far less sensitive (only private sector with my real DOB are bank & employer, ditto national insurance number) so most private sector data breaches would give quite low grade information (in addition to fake DOB they typically get fake phone numbers etc)
Ever heard of data aggregation? Put all those little inconsequential nuggets together and pretty soon you have a digital profile good enough when stolen or "lost" to fuck up your life. EVERY piece of private data held by government deserves to be handled securely. To paraphrase, look after the little stuff and the big stuff takes care of itself.
Are they just being honest.. it’s worth less as the can’t monetarise it unlike Google Facebook. Otherwise it would be a treasure trove.
Esp. against vulnerable people insurance companies could say discriminate against for example... or drugs companies could directly target the verified sick.
Anon public sector here. Our data is quite possibly more sensitive than most held by the private sector. We have masses of personal informaiton, financial information, loads about crime, criminal convictions, the victims of crime, children in care, vulnerable people, health information.
Not only could the disclosure of this information be catastrophic and potentially life threatening, a loss of availability of this information could also be.
I do wonder who sophos spoke to, it's a not an attitude I recognise.
Having followed the reactions to various data breaches from the public sector (too numerous to mention, which in itself is a fucking disgrace) I would counter by saying this is exactly the attitude I would expect.
"Oh dear, we lost 2 million peoples data on a train. Never mind".
The NHS has been forced to accept security is important in the wake of Wannacry and has been doing a lot of work to try and improve their security estate. The same can't be said for other government departments. If I had to guess, I'd say that most of the good responses to this were from the NHS people. The worst responses were probably from schools. A lot of schools do horrific things that make security worse like break encryption under the guise of monitoring and they just can't understand why the information about school children would be of any interest to anyone. Add to that school IT being a mixture of outsourced and underpaid CS grads who couldn't get anything better and you get a nightmare situation where they don't care about security.
Won't someone think of the paediatricians?
But "outsourced and underpaid CS grads who couldn't get anything better" sounds like a massive improvment on the PE teacher who administered my school network. I'm sure he was very qualified in all matters related to football and suff like that, but he knew less than me about computers. I didn't learn anything from him in either the sports hall or the computer lab.
"The NHS has been forced to accept security is important in the wake of Wannacry and has been doing a lot of work to try and improve their security estate."
NHS IT has taken security seriously as far as I can remember (that'd be c.2005). Unfortunately, they've had budgetary issues. To put it very bluntly, the NHS has had a decreasing budget (real-terms) for a long time, and if there's a spare £100 going around and someone has to decide between giving it to IT or use it to actually treat a patient, IT will lose every time (for obvious reasons).
Maybe they asked the wrong IT Chiefs. The people they asked may have thought in terms of business impact level for their data, come to 1 or 2, ie OFFICIAL or OFFICIAL - SENSITIVE, thought that as they were not part of the high threat club that their data was important, but not _that_ important. Then they rank it against "private sector" and as they don't know what the business impact for private sector data is, they assume it's 4 or 5, so they say public sector data is less important than private sector.
Maybe it is less important ... otherwise why would my company directorships be on the public internet, my electoral details be in a book anyone can read (along with the age of anyone about to be eligible to vote), my web domain registration available for anyone to dig, etc etc blah blah blah.
A better question would be "what is the impact level of this data and how do you protect it: National Insurance numbers, tax returns, confidential medical records, passport details" then same question for "CVV, PAN, what I had for breakfast, how much I paid for my house, what I bought from Amazon, who I like on facetwit, pharmaceutical company pre-patent research"
Perhaps they meant 'It won't cost us out business if we lose this data because we don't actually HAVE a business, and fines for government departments, if they exist at all, are just a paper exercise'.
Losing your civil service pension, on the other hand, might be seen as a reasonable deterrent.
"Losing your civil service pension, on the other hand, might be seen as a reasonable deterrent."
That would, however, require a change in the law (and be very dangerous - the contents of your pension pot are legally yours, so confiscation of said would effectively be reclaiming pay). Misconduct, gross negligence, etc, would all be more sensible ...
My own experience is that most of the public sector take data protection very seriously and are abjectly terrified of the fall out of a significant data loss. The ICO fines worry them but the bad PR scares them. It might seem unlikely but even though the public sector doesn't need to turn a profit or win your business it is very conscious of its PR (or at least those at the top are).
Where this falls down is in the operation. So the words are said that this stuff is very important, they might even be heartfelt but if security starts to cost money and or time it's very quickly put to the side as a blocker. Schools have no interest in security if it means they have to do anything. Various teams will side step security if it means it is easier to do the thing they are focussed on. "Why include security they only ask awkward questions and mean that I can't get the latest shiny tomorrow!".
Security is a hard sell, it's insurance at worst and a comfort at best. If you do your job properly nothing happens. If the organisation is lucky nothing happens anyway.
I have asked for public executions for those managers that ignore security and then cock up but as yet I've been rebuffed.
Impact is relative.
Perception of government department before massive data breach is that they're a bunch of incompetents who couldn't manage their way out of a damp paper bag.
One massive data breach later, and people still consider them to be a bunch of incompetents who couldn't manage their way out of a damp paper bag.
Next to no change there....impact zero
As an 'IT bod at the coalface' my biggest cause for concern over IT security is senior management's disreguard for the importance of security and willful ignorance of GDPR. No matter how secure you try to make things there is always a senior manager who clicks on obvious malware or wants you to relax security because it will save them 5 minutes.
For example, the government agency that looks after national parks. Does it have much, if any, private data on citizens?
Or a government department/agency responsible for supplying stationary to other government departments?
The question is, what specific agencies/teams did the ones who responded that their data wasn't as important belong to?
Endangered species monitoring?
Not all government departments/agencies/teams deal with or hold data or collect data about private citizens.
The real root problem here is not specific to government departments. In my consulting experience, it affects pretty much all businesses, and it's twofold:
 nobody understands how to assess risk
 any consideration of risk is always in terms of "risk to us", not "risk to our client, the public, the data subject etc."
The first aspect is due to a complete absence of training in the real principles of risk that have been established for the last 400 odd years, instead relying on pretty dashboards based on snake oil and wild guesswork, and the second is just a manifestation of the ruthlessness of unbridled capitalistic thinking.
Until both these failings are fixed, the situation cannot improve.
This is just shoddy shit-stirring journalism and we should be expecting better from el reg.
The article (and Sophos) are automatically assuming that the people they interviewed are deluded or dishonest but there's no shred of evidence that what they are saying is false - I'm sure there would have been just as much uproar if a small majority of private sector IT chiefs claimed their data was less important than that held in the public secctor.
Obviously tax returns, confidential medical records, passport details etc are important, but maybe they were included in the nearly-50% who didn't agree with the statement. We can't know unless there's some kind of analyis of what the true picture is.
I speak as someone who is about as far to the anti-public-sector end of scale as it's possible to get, but politics shouldn't trump truth.
Honestly, I think a large part of this is just the weasel-word 'valuable'. I imagine a lot of people would simply parse this as 'having commercial value' - and if it's taken this way, then no, a lot of public-sector data isn't valuable. The more sensitive it is, in fact, the less 'valuable' it is, precisely because it is not and cannot be legally bought or sold. If the question was phrased about whether the data was 'important' or 'sensitive' ... well, then you might have had different answers.
And I find it hard to believe Sophos isn't aware of this. They're hardly a disinterested party.
Biting the hand that feeds IT © 1998–2021