back to article UK public sector IT chiefs shrug off breach threats: The data we hold isn't that important

Half of UK public sector IT chiefs think the data they're responsible for protecting is less valuable than private sector information, according to a survey by antivirus firm Sophos. Just over 50 per cent of 420 senior managers quizzed by Sophos agreed with the statement: "The data held by my organisation is less valuable than …

  1. Alister Silver badge

    Head in the cloud(s)

    The clear take away from this is that IT upper management in general have no fucking clue.

    1. Anonymous Coward
      Anonymous Coward

      Re: Head in the cloud(s)

      Those that don't know IT, manage it.

      1. Andy Non Silver badge

        Re: Head in the cloud(s)

        While fictional and humorous, Jen in the IT crowd exemplifies this nicely.

        1. BebopWeBop Silver badge

          Re: Head in the cloud(s)

          Cuddly (imho) but ineffectual. A polar opposite of many managers.

        2. Anonymous Coward
          Anonymous Coward

          Re: Head in the cloud(s)

          Anon in the public sector - in that situation now with the head of IT being someone with no IT experience other than as a user.

          As is often the case, truth mirrors fiction!

    2. waserman

      Re: Head in the cloud(s)

      > The clear take away from this is that IT upper management in general have no fucking clue.

      How about making the legially liable for losing your personal records?

  2. tiggity Silver badge

    muppets

    Given the public sector have lots of statutory powers to get (accurate) information that is very sensitive then the bods in charge are being a bit thick (par for the course as go to the "top").

    Most of my private sector data is typically far less sensitive (only private sector with my real DOB are bank & employer, ditto national insurance number) so most private sector data breaches would give quite low grade information (in addition to fake DOB they typically get fake phone numbers etc)

    1. katrinab Silver badge

      Re: muppets

      Depends on the department though.

      What personal data does for example Highways England hold?

      They have one my email addresses because I asked them to fix a broken lamp post, but apart from that, not much.

      1. Richard 12 Silver badge
        Facepalm

        Re: muppets

        Timestamped locations of every vehicle using any of the major roads where they run traffic density or average-speed cameras.

        There's also the things their IT can do remotely, such as close and open lanes, remotely change variable speed limit signs...

        1. Twanky Bronze badge
          Unhappy

          Re: muppets

          Average speed check has worried me too - no, not just for the obvious reason. Is there any published information on how long the systems behind average speed check cameras hold the ANPR data of the passing traffic - in the UK or elsewhere?

      2. Severus

        Re: muppets

        Ever heard of data aggregation? Put all those little inconsequential nuggets together and pretty soon you have a digital profile good enough when stolen or "lost" to fuck up your life. EVERY piece of private data held by government deserves to be handled securely. To paraphrase, look after the little stuff and the big stuff takes care of itself.

    2. NeilPost Bronze badge

      Re: muppets

      Are they just being honest.. it’s worth less as the can’t monetarise it unlike Google Facebook. Otherwise it would be a treasure trove.

      Esp. against vulnerable people insurance companies could say discriminate against for example... or drugs companies could directly target the verified sick.

  3. Anonymous Coward
    Anonymous Coward

    Anon public sector here. Our data is quite possibly more sensitive than most held by the private sector. We have masses of personal informaiton, financial information, loads about crime, criminal convictions, the victims of crime, children in care, vulnerable people, health information.

    Not only could the disclosure of this information be catastrophic and potentially life threatening, a loss of availability of this information could also be.

    I do wonder who sophos spoke to, it's a not an attitude I recognise.

    1. Anonymous Coward
      Anonymous Coward

      it's a not an attitude I recognise.

      Having followed the reactions to various data breaches from the public sector (too numerous to mention, which in itself is a fucking disgrace) I would counter by saying this is exactly the attitude I would expect.

      "Oh dear, we lost 2 million peoples data on a train. Never mind".

    2. Doctor Syntax Silver badge

      "I do wonder who sophos spoke to"

      People who don't want to be put to the trouble of looking after data carefully.

    3. Chris 3

      I wonder whether the respondents may be intepretating 'valuable' in a monetary value sense. The answers *may* have been different if the question had been about the 'sensitivity' of the data held.

    4. Anonymous Coward
      Anonymous Coward

      Your manager's manager, probably.

      You know that data is seriously important and potentially dangerous. Your manager probably does too.

      But their manager was parachuted in from somewhere else at random and has no idea what your department does.

  4. Anonymous Coward
    Anonymous Coward

    The NHS has been forced to accept security is important in the wake of Wannacry and has been doing a lot of work to try and improve their security estate. The same can't be said for other government departments. If I had to guess, I'd say that most of the good responses to this were from the NHS people. The worst responses were probably from schools. A lot of schools do horrific things that make security worse like break encryption under the guise of monitoring and they just can't understand why the information about school children would be of any interest to anyone. Add to that school IT being a mixture of outsourced and underpaid CS grads who couldn't get anything better and you get a nightmare situation where they don't care about security.

    1. katrinab Silver badge
      Childcatcher

      Won't someone think of the paediatricians?

      But "outsourced and underpaid CS grads who couldn't get anything better" sounds like a massive improvment on the PE teacher who administered my school network. I'm sure he was very qualified in all matters related to football and suff like that, but he knew less than me about computers. I didn't learn anything from him in either the sports hall or the computer lab.

    2. Anonymous Coward
      Anonymous Coward

      "The NHS has been forced to accept security is important in the wake of Wannacry and has been doing a lot of work to try and improve their security estate."

      NHS IT has taken security seriously as far as I can remember (that'd be c.2005). Unfortunately, they've had budgetary issues. To put it very bluntly, the NHS has had a decreasing budget (real-terms) for a long time, and if there's a spare £100 going around and someone has to decide between giving it to IT or use it to actually treat a patient, IT will lose every time (for obvious reasons).

      1. Korev Silver badge
        IT Angle

        Which is fine until the unpatched PACS system goes down...

        (I'm agreeing with you, despite the snarky comment)

        The medics' option of IT -->

  5. forumusernamealreadytaken

    wrong question perhaps?

    Maybe they asked the wrong IT Chiefs. The people they asked may have thought in terms of business impact level for their data, come to 1 or 2, ie OFFICIAL or OFFICIAL - SENSITIVE, thought that as they were not part of the high threat club that their data was important, but not _that_ important. Then they rank it against "private sector" and as they don't know what the business impact for private sector data is, they assume it's 4 or 5, so they say public sector data is less important than private sector.

    Maybe it is less important ... otherwise why would my company directorships be on the public internet, my electoral details be in a book anyone can read (along with the age of anyone about to be eligible to vote), my web domain registration available for anyone to dig, etc etc blah blah blah.

    A better question would be "what is the impact level of this data and how do you protect it: National Insurance numbers, tax returns, confidential medical records, passport details" then same question for "CVV, PAN, what I had for breakfast, how much I paid for my house, what I bought from Amazon, who I like on facetwit, pharmaceutical company pre-patent research"

    1. Adrian 4 Silver badge

      Re: wrong question perhaps?

      Perhaps they meant 'It won't cost us out business if we lose this data because we don't actually HAVE a business, and fines for government departments, if they exist at all, are just a paper exercise'.

      Losing your civil service pension, on the other hand, might be seen as a reasonable deterrent.

      1. Anonymous Coward
        Anonymous Coward

        Re: wrong question perhaps?

        "Losing your civil service pension, on the other hand, might be seen as a reasonable deterrent."

        That would, however, require a change in the law (and be very dangerous - the contents of your pension pot are legally yours, so confiscation of said would effectively be reclaiming pay). Misconduct, gross negligence, etc, would all be more sensible ...

        1. Tim99 Silver badge
          Coat

          Re: wrong question perhaps?

          Back in the day, the Civil Service used "Gross moral turpitude" to describe a dismissible action. When I first heard it, I thought that it might be worth it...

          No, they never gave me mine, I left of my own accord >>======>

      2. Anonymous Coward
        Anonymous Coward

        Re: wrong question perhaps?

        My own experience is that most of the public sector take data protection very seriously and are abjectly terrified of the fall out of a significant data loss. The ICO fines worry them but the bad PR scares them. It might seem unlikely but even though the public sector doesn't need to turn a profit or win your business it is very conscious of its PR (or at least those at the top are).

        Where this falls down is in the operation. So the words are said that this stuff is very important, they might even be heartfelt but if security starts to cost money and or time it's very quickly put to the side as a blocker. Schools have no interest in security if it means they have to do anything. Various teams will side step security if it means it is easier to do the thing they are focussed on. "Why include security they only ask awkward questions and mean that I can't get the latest shiny tomorrow!".

        Security is a hard sell, it's insurance at worst and a comfort at best. If you do your job properly nothing happens. If the organisation is lucky nothing happens anyway.

        I have asked for public executions for those managers that ignore security and then cock up but as yet I've been rebuffed.

    2. Anonymous Coward
      Anonymous Coward

      Re: wrong question perhaps?

      Impact is relative.

      Perception of government department before massive data breach is that they're a bunch of incompetents who couldn't manage their way out of a damp paper bag.

      One massive data breach later, and people still consider them to be a bunch of incompetents who couldn't manage their way out of a damp paper bag.

      Next to no change there....impact zero

  6. chivo243 Silver badge
    Devil

    The real pain point

    (a lack of) employee skills. I will troubleshoot your citrix\rds\ connection, odd network problems, weird printing issues, but I will not teach you how to use Word!!

  7. Irongut

    As an 'IT bod at the coalface' my biggest cause for concern over IT security is senior management's disreguard for the importance of security and willful ignorance of GDPR. No matter how secure you try to make things there is always a senior manager who clicks on obvious malware or wants you to relax security because it will save them 5 minutes.

  8. Anonymous Coward
    Anonymous Coward

    Don't forget a lot of these senior PHBs move on after fucking up - and they take their attitudes with them. With those bastards, its always someone else's fault....

  9. Doctor Syntax Silver badge

    If it's not important they shouldn't be holding it. If they don't have any information to hold they don't have a job to do. If they don't have a job to do they shouldn't be being paid.

    Explain that and ask them again.

  10. TXITMAN

    Incompetence and denial

    It is incompetence and denial that drives this attitude. Imagine if the voter registration records were compromised. It would be possible to change the voter rolls.

  11. Anonymous Coward
    Anonymous Coward

    Unsurprised

    When I worked in the public sector our Head of I.T. was professionally trained

    As a chef.....

  12. eldakka Silver badge

    Not all government agencies data is equal

    For example, the government agency that looks after national parks. Does it have much, if any, private data on citizens?

    Or a government department/agency responsible for supplying stationary to other government departments?

    The question is, what specific agencies/teams did the ones who responded that their data wasn't as important belong to?

    Weather forecasting?

    Endangered species monitoring?

    Not all government departments/agencies/teams deal with or hold data or collect data about private citizens.

  13. Mike 137 Bronze badge

    The real problem

    The real root problem here is not specific to government departments. In my consulting experience, it affects pretty much all businesses, and it's twofold:

    [1] nobody understands how to assess risk

    [2] any consideration of risk is always in terms of "risk to us", not "risk to our client, the public, the data subject etc."

    The first aspect is due to a complete absence of training in the real principles of risk that have been established for the last 400 odd years, instead relying on pretty dashboards based on snake oil and wild guesswork, and the second is just a manifestation of the ruthlessness of unbridled capitalistic thinking.

    Until both these failings are fixed, the situation cannot improve.

  14. Tim 11

    Evidence?

    This is just shoddy shit-stirring journalism and we should be expecting better from el reg.

    The article (and Sophos) are automatically assuming that the people they interviewed are deluded or dishonest but there's no shred of evidence that what they are saying is false - I'm sure there would have been just as much uproar if a small majority of private sector IT chiefs claimed their data was less important than that held in the public secctor.

    Obviously tax returns, confidential medical records, passport details etc are important, but maybe they were included in the nearly-50% who didn't agree with the statement. We can't know unless there's some kind of analyis of what the true picture is.

    I speak as someone who is about as far to the anti-public-sector end of scale as it's possible to get, but politics shouldn't trump truth.

  15. Timo Dactyl

    Honestly, I think a large part of this is just the weasel-word 'valuable'. I imagine a lot of people would simply parse this as 'having commercial value' - and if it's taken this way, then no, a lot of public-sector data isn't valuable. The more sensitive it is, in fact, the less 'valuable' it is, precisely because it is not and cannot be legally bought or sold. If the question was phrased about whether the data was 'important' or 'sensitive' ... well, then you might have had different answers.

    And I find it hard to believe Sophos isn't aware of this. They're hardly a disinterested party.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019