encrypting user data in local government 2016

Encrypting User Data in Local GovernmentSurvey Report 2016

Survey Partners

Contents The Survey 3

Survey Methodology and Respondents Profile 4

Key Findings 5

Conclusion 10

Appendix 1: Full Survey Questions 11

Appendix 2: Participating Organisations 15

Page � of �2 15 Encrypting User Data in Local Government 2016

Acknowledgements

The survey team at iGov Survey would like to take this opportunity to thank all of those who were kind enough to take part - and especially to those who found the time to offer additional insight through their extra comments. We would also like to thank our partner, Druva, for their assistance in compiling the survey questions, scrutinising the responses and analysing the results.

Encrypting User Data in Local Government 2016 © copyright Unless explicitly stated otherwise, all rights including those in copyright in the content of this publication are owned by or controlled for these purposes by iGov Survey.

Except as otherwise expressly permitted under copyright law or iGov Survey’s Terms of Use, the content of this publication are owned by or controlled may not be copied, reproduced, republished, downloaded, posted, broadcast or transmitted in any way without first obtaining iGov Survey’s written permission or that of the copyright owner.

To contact the iGov Survey team: Email: [email protected] Tel: 0845 094 8567 Address: FAO David Cross, Ingenium IDS Ltd, Mansion House, Wellington Road South, Stockport, Cheshire, SK1 3UA

The Survey

The protection of data is paramount right across the public sector, but as the public face of government, local authorities are under increasing pressure to maintain the trust of the public by ensuring that their citizens’ information is effectively safeguarded.

At the end of last year, the Information Commissioner’s Office (ICO) published an analysis of ‘Data security incident trends’ , which considered a study of the recent data 1

security incidents under their consideration.

It found that during the second quarter of the 2015/16 year (July to September 2015), despite being the second most ‘prevalent’ sector in terms of data breaches, Local Government accounted for just 11% of the total number of cases at the time (559). Yet as local government is not currently mandated to alert the ICO to data breaches, there could still be many that go unreported. The study also notes that the healthcare was by far the worst offender, which could in part be attributed to the sensitivity of the data processed by these organisations, the sheer size of the sector, and a recent move by the NHS which now makes it mandatory to report incidents.

In the case of Local Government, the study does note that there has been a marginal improvement since the third quarter of 2014/15 (October to December 2014) over the course of the 2015/16 year. Yet it also warned that, in comparison to the first quarter of this financial year, there had been a 27% increase.

The biggest issue was found to be the loss and/or theft of paperwork, which accounted for a fifth of all incidents in this sector.

While Local Government continues to battle through a period of tight budget constraints, protecting sensitive information must remain a top priority. Citizens are now looking to their local authorities to safeguard their data in a time of increased digital connectivity and transparency. This means that the strategies put in place to allow authorities to meet the challenge of generating more efficient ways of working - often through the use of new technologies such as mobile and cloud - must also be balanced with effective security.

In light of this issue, iGov Survey have recently partnered with the fastest growing cloud- based data protection provider, Druva, to further understand the barriers and benefits this challenge brings to Local Government.

With large amounts of data now being stored in various locations such as endpoints and the cloud, Druva and iGov launched a research project to examine the data security and encryption strategies currently in place across the sector. It looked at the use of mobile devices, as well as online and Cloud applications, and the security concerns that were raised due to the use of these technologies. Finally, it also considered the impact of data legislation put in place by government, and the bearing it has on the strategies currently being used.

https://ico.org.uk/action-weve-taken/data-security-incident-trends/1


https://ico.org.uk/action-weve-taken/data-security-incident-trends/

Survey Methodology and Respondents Profile

This survey was conducted by iGov Survey in collaboration with Druva, and ran from 3rd November 2015 to 21st December 2015. iGov Survey, a research body comprising of an independent team of public sector experts, partnered with Druva on the project and all views and results expressed within this report are from iGov’s impartial view point unless explicitly stated otherwise.

Survey respondents represent a broad cross-section of seniority levels across Local Government organisations, and job roles across IT departments, Corporate Services, and at a Chief Executive/Deputy level.

84 individuals participated from 70 unique organisations across local authorities, each of whom will have received a complimentary copy of the findings report. There was no inducement to take part, and Druva was not introduced as the survey partner.

The results displayed throughout this report are based on those who fully completed the questionnaire and are displayed as a percentage unless otherwise stated.


Borough

City

County

District

Metropolitan

Unitary

0 10 20 30

Sector Breakdown: Local Council Types

Key Findings Over half of participants (59%) are ‘very confident’ in their organisation’s ability to secure sensitive data on end-user devices

However, confidence among the majority of this group drops when asked if they believe their end-users comply with data protection laws. Just 18% remained ‘very confident’, whilst over half were ‘somewhat confident’ (63%).


0 25 50 75 100

Very confident Somewhat confident Not very confidentNot at all confident

Our organisation is able to secure sensitive data

on end-user devices

Our end-users fully comply with data security policies

Question: How confident are you in the following:

Almost all of our survey participants stated that at least a small proportion of their staff had access to a mobile device for work purposes (93%)

This was supported by 83% who said they had a Mobile Device Management solution deployed within their organisation.

Of those who stated that at least a small proportion of their staff had access to a mobile device for work purposes, nearly a third (29%) stated that this applied to 11-25%, whilst a further 14% told us more than 75% of their work force had access.


7%

62%

31%YesNoDon't know

Question: Do you currently have a Mobile Device Management solution deployed for mobile devices across your organisation?

More than 75%

51 - 75%

26 - 50%

11 - 25%

1 - 10%

0%

Don't know

0 10 20 30

Question: What percentage of your staff currently uses or has access to a mobile device for work purposes?

Nearly two-thirds of participants stated they did not use cloud applications within their organisation (62%)

Despite the growing use of Cloud technology, and an awareness of the benefits this can bring to Local Government, just 31% told us that they used these applications within their organisations.

Yet interestingly, of the 30% who do make use of cloud applications, only a small minority (31%) are able to monitor what sensitive data is accessed by end-users through these applications. In addition, a further 28% did not know whether this was possible or not.


7%

62%

31%YesNoDon't know

Question: Currently, does your organisation use cloud applications such as Office 365 or Dropbox?

42%

28%

30%YesNoDon't know

Question: Are you able to monitor the sensitive data accessed by end-users through these applications?

Just 30% of survey participants reported that they had ’full awareness’ of new data laws soon to be introduced by the EU under the General Data Protection Regulation (GDPR)

A further 59% reported having a limited awareness of the new data laws, whilst 11% told us they had no awareness of the new laws at all.

Encouragingly, just under a third (31%) told us they were already planning further development to meet the requirements of the new data laws. In contrast, over half (53%) said that more research was needed into what these new laws entail before their organisation conducted any development within their data security and protection strategies.


11%

59%

30%Yes - I am fully aware of thisYes - I have a limited awareness of thisNo

Question: Are you aware of the new data laws soon to be introduced by the European Union under the General Data Protection Regulation (GDPR)?

13%3%

53%

31%YesWe need to do more research into what this entailsNoDon't know

Question: Is your organisation planning any development within your data security and data protection to meet these new requirements?

Almost half (47%) also believe that further understanding of compliance risks would be beneficial to their organisation

Just 28% of surveyed organisations felt that they didn’t currently require any further knowledge of data protection, whilst a further 17% felt their organisation needed to develop a better understanding of how to secure sensitive data to update their strategy in line with new technologies.


0 10 20 30 40 50

Question: To what extent do you think having a clearer understanding of compliance risk on end-user systems would benefit your organisation?

I feel our organisation needs a better understanding of how to secure

sensitive data to update our strategy in line with new technologies

Further understanding would be beneficial to us as we review our data

protection strategy

We don’t feel any further knowledge of data protection is required at this

time

Other - please specify

Don’t know

Conclusion by Rick Powles, Senior Vice President at Druva EMEA

With large amounts of data now being stored in various locations such as endpoints and Cloud applications, organisations are challenged to keep up with evolving security threats and technology to ensure that sensitive information is protected at all times. New privacy laws also strain organisations who may not understand what is required or have the tools in place to ensure compliance. This survey examined the data security and encryption strategies currently in place along with provided insights into the barriers and benefits that new technologies and legislations bring to Local Government organisations.

Fortunately, organisations in the public sector recognise the need to better understand the impact that these challenges have on their existing data protection strategy. Additionally, they understand that the lack of visibility into sensitive data in the cloud poses a threat. Protecting sensitive information must remain a top priority for local governments as well as staying informed of not only changes in legislation but tools that can better equip them for the future.


Appendix 1: Full Survey Questions


Grid Question: How confident are you in the following:

Our organisation is able to secure sensitive data (such as citizen information, financial records, housing data, etc) on end-user devices

Answer Percent

Very confident 59%

Somewhat confident 34%

Not very confident 3%

Not at all confident 4%

Our end-users fully comply with data security policies

Answer Percent

Very confident 18%

Somewhat confident 63%

Not very confident 13%

Not at all confident 6%

Question: What percentage of your staff currently uses or has access to a mobile device for work purposes?

Answer Percent

0% 0%

1 - 10% 3%

11 - 25% 29%

26 - 50% 27%

51 - 75% 20%

More than 75% 14%

Don’t know 7%

Question: Do you currently have a Mobile Device Management solution deployed for mobile devices across your organisation?

Answer Percent

Yes 83%

No 7%

Don’t know 10%


Question: In terms of a percentage, how many of your organisation’s mobile devices are encrypted?

Answer Percent

0% 3%

1 - 10% 3%

11 - 25% 1%

26 - 50% 7%

51 - 75% 8%

More than 75% 65%

Don’t know 13%

Question: On average, how many devices are damaged or lost in your organisation per year?

Answer Percent1 - 10 42%

11 - 20 13%

21 - 30 7%

More than 30 7%

Don’t know 31%

Question: Are there any groups in your organisation most prone to losing mobile devices or subject to theft?

Answer PercentFrontline staff, such as administration 21%

Managers 1%

Data handlers/managers 3%

Executives 7%

Other - please specify 14%

Don’t know 54%

Question: Currently, does your organisation use Cloud applications such as Office 365 or Dropbox?

Answer PercentYes 31%

No 62%

Don’t know 7%


Question: Are you able to monitor the sensitive data accessed by end-users through these applications?

Answer Percent

Yes 30%

No 28%

Don’t know 42%

Question: Are you aware of the new data laws soon to be introduced by the European Union under the General Data Protection Regulation (GDPR)?

Answer PercentYes - I am fully aware of this 30%

Yes - I have limited awareness of this 59%

No 11%

Question: Is your organisation planning any development within your data security and data protection to meet these new requirements?

Answer Percent

Yes 31%

We need to do more research into what this entails 53%

No 3%

Don’t know 13%

Question: Are you looking to implement a new solution as part of these plans?

Answer Percent

Yes - within the next 6 months 27%

Yes - within the next 12 months 14%

Yes - post 12 months 9%

Yes - when the GDPR comes into effect 14%

We have no plans at this time 27%

Don’t know 9%


Question: To what extent do you think having a clearer understanding of compliance risk on end-user systems would benefit your organisation?

Answer Percent

I feel our organisation needs a better understanding of how to secure sensitive data to update our strategy in line with new technologies

17%

Further understanding would be beneficial as we review our data protection strategy 47%

We don’t feel any further knowledge of data protection is required at this time 28%

Other - please specify 4%

Don’t know 4%

Appendix 2: Participating Organisations


Armagh, Banbridge and Craigavon District Council Arun District Council Aylesbury Vale District Council Birmingham City Council Bracknell Forest Council Brent Council Buckinghamshire County Council Cambridgeshire County Council Central Bedfordshire Council Chelmsford City Council Cheshire West and Chester Council Chesterfield Borough Council Chichester District Council City of Bradford Metropolitan District Council City of London Corporation Copeland Borough Council Cumbria County Council Derby City Council Derbyshire County Council Dorset County Council Dudley Metropolitan Borough Council East Cambridgeshire District Council East Hampshire District Council Eastbourne Borough Council Erewash Borough Council Flintshire County Council Forest of Dean District Council Hampshire County Council HerFordshire County Council Hinckley and Bosworth Borough Council Leeds City Council London Borough of Hammersmith and Fulham Manchester City Council Medway Council Mendip District Council

Norfolk County Council North Lanarkshire Council North Warwickshire Borough Council Oxfordshire County Council Peterborough City Council Redcar and Cleveland Borough Council Renfrewshire Council Rochdale Borough Council Runnymede Borough Council Shetland Islands Council Shropshire Council Solihull Metropolitan Borough Council South Gloucestershire Council South Norfolk Council South Somerset District Council Southend on Sea Borough Council St Helens Council Stockport Metropolitan Borough Council Stoke-on-Trent City Council Sunderland City Council Surrey County Council Tandridge District Council Tendring District Council The Moray Council Thurrock Council Torbay Council Trafford Council Vale of Glamorgan Council Warrington Borough Council Wealden District Council West Lothian Council Wigan Council Wiltshire Council Wirral Borough Council

encrypting user data in local government 2016

Documents