Local authorities cannot afford to be lax on data leaks

  • Many local authorities are failing to keep data secure and are being hit by large penalties
  • Only 40% regularly review their cyber security
  • Simple changes to working practices could make a huge difference

Many local authorities are in a dangerous place when it comes to data.

In an era when the ability to collect and store information seems to have advanced far faster than the checks and balances necessary to protect it, local governments in the UK have received penalties totalling over £2 million following serious failings.

This is partly due to the fact that local authorities hold the kind of information that is very attractive to criminals, such as personal details and public service records that can be exploited to commit fraud.

But they also make themselves unnecessarily vulnerable to attack through failures in risk management and neglecting simple security protocols.

In 2013 only 40% of Europe’s public sector organisations said they regularly evaluated their cyber security systems and only 17% had purchased specific cyber insurance cover, according to research commissioned by Zurich Municipal and developed by Harvard Business Review Analytic Services in association with risk management organisation FERMA.

The research also found that only 9% provided cyber awareness training for all staff, with only one in three of these refreshing the training on an annual or biannual basis.

This last point is particularly relevant, as most data breaches are down to simple user error – emailing sensitive data to the wrong person or mislaying mobile drives – which can be dramatically reduced with effective security awareness. For example, forbidding the downloading of sensitive data from the council network when working from home.

Threat of litigation

As public awareness of the implications of data breaches rises, so to does the threat of litigation, and the pressure is on for local authorities to address not only their regulatory responsibilities to protect data, but also their duty of care to ensure that they are doing all they can.

New EU rules also require organisations to demonstrate what security measures are in place.

Failure to do this could mean local authorities face major reputational damage – and heavy compensation claims – following a breach.

Effective mitigation is essential across the organisation – don’t make the mistake of seeing this as an ‘IT problem‘.

Zurich Municipal advises its clients to take advantage of the risk management advice available from their insurer and work to improve awareness of cyber security at every level, both to prevent external cyber attacks and the kind of simple negligence that can prove all too expensive.

But clients should also work with their insurer to fully evaluate their exposure and make sure that they are happy with the limits of their cover.

Cyber is a hugely complex risk that usually stretches across multiple lines and no-one can afford not to take it very seriously.