by Mark Smith, head of PSN, Government Digital Service, Cabinet Office
In recent years, the number of data breaches and threats to public sector data has focused local authority attention on effective security regimes. In our role of overseeing the Public Services Network (PSN) compliance process, it’s been great to see this evolution in practice – a smarter and more thorough response to security helps us all.
There are, however, still some organisations that don’t see the bigger picture and continue to think that, because they are PSN compliant, they must by default be completely secure and resilient.
PSN compliance is just one component of any organisation’s security landscape, but we often see PSN compliance misused as a delivery mechanism for security across an entire organisation. It means they make their security decisions based on just meeting the demands of PSN compliance – not on meeting their organisation’s specific needs.
In our experience, any organisation that uses PSN compliance as a checklist of the things they need to do to be ‘secure’ seems to have little understanding of security issues or their needs. And that often means they’re going to fall down when it comes to being properly secure or resilient.
Compliance not the same as ‘secure’
It’s important to recognise that risk management and security responsibilities cannot be deferred by virtue of simply using a particular network. PSN compliance – by its very nature – only reports on some parts of what you need to do because it only looks at risks that are important to the PSN network and those connected to it.
Organisations need to go further than simply meeting the security outcomes of PSN compliance – they need to focus on ALL their security needs. That means they need to have a complete understanding of their organisation, the information they hold, use and share as well as their network and everything connected to it.
Getting the balance right
Local government in particular holds significant amounts of sensitive data, which makes the cost of a potential breach even greater. However, security and resilience certainly isn’t about locking everything down – it’s about being armed with the latest research, guidance and information to help you decide the best course of action for your organisation.
Investment in an effective security regime is essential and it’s important to grasp your responsibilities. A good way to start is to understand these principles:
- Cyber security is constantly changing and evolving. You can never be 100% secure.
- Solutions should be implemented in a way that balances risk with cost and usability.
- Solutions should be outcome based and regularly reviewed to keep pace with the changing security landscape.
When you choose solutions bear in mind that something that carries an accreditation or a certificate of compliance is a good start – but it won’t guarantee it’s right for the needs of your business. Carry out your own due diligence to make sure it’s right for you.
Make sure the solutions are appropriate for protecting the things that are important to your business and the way it works. Also – because you can never be 100% secure – have strong incident and response processes to reduce the impact of a potential attack.
You can also help make sure these processes are deeply rooted in your business by making them a compulsory module in new starter training, which you can then build on by continually training your staff. We’ve seen this method work well across a number of organisations.
Security is about helping your organisation and your staff to do what they need to do as safely as possible. If you understand your responsibilities and the needs of your business, accept that the cyber security landscape is constantly changing, implement well-configured commodity solutions and build a strong incident response system, you’ll have the tools to do it.
This article was first published in Local Leadership in a Cyber Society: Being Resilient by the DCLG led National Cyber Security Programme - Local and iNetwork. Read the other featured articles.