U.K. Public Sector's Top Security Worries

In a week that saw claims of Red Chinese penetration of U.S. networks, a new survey sponsored by the British security vendor Clearswift has found the thing most public-sector U.K. organizations fear is not industrial sabotage or spying -- it's damage to their reputation due to an IT security breach.

That worry, rated number one by 31% of respondents to the poll, surpasses concerns about the potential financial consequences of any such breaches (20%). That might be surprising, given that the U.K's privacy and IT security watchdog, the Information Commissioner, recently has leveled hefty fines on a number of bodies ranging from hospitals to media companies for not protecting consumer data.

Companies' fears they will be identified as not adhering correctly enough to policy or compliancy issues came in at a relatively distant third (18%).

[ Twitter hacks of U.S. companies are snowballing. Read BK Hack Triggers Twitter Password Smackdown. ]

The survey is based on conversations with 277 people across 247 unique U.K. public-sector organizations, with respondents ranging from compliance officers and IT managers to C-level executives, government workers and university staff.

Security is important at a time when U.K. organizations are increasingly using social media, and also being asked to save money by sharing services or outsourcing some or all of their IT and other core processes to private industry, Guy Bunker, senior VP of products at Clearswift, told InformationWeekUK.com.

"The fact that much bigger numbers than we expected are using social media in the public sector plus the fact that a stubborn number of such organizations just don't feel the need to verify the security policies of their partners really surprised me," he said.

Survey results suggest that most companies do think about the importance of security when partnering with other organizations but aren't doing enough to make it happen. Ninety percent of respondents said information security was an important issue that needs to be clarified when selecting business partners and third parties. The majority (93%) said they regularly exchange information with third parties, and of this data 84% is likely to contain sensitive material.

Sixty-three percent of respondents regard managing information exchange with external partners as a joint responsibility. So far so good. But when asked exactly how this responsibility is divided, only 3% of organizations say they are "worried" about data loss via business partners, an approach Bunker says is too lax: "It is no longer an option to assume that someone else is looking after your data," he said. "IT security policies must be created, shared and enforced by collaborative organizations to ensure not only better protection against data loss, but also a clearer understanding of responsibility and culpability."

How companies treat social media security is another problem area, said Bunker. "What worries me about all these public sector users of social media is that they are not reporting anything like convincing enough strategies and policies to deal with any crises that can easily arise here -- like staff sending abusive Tweets or emails," he said.

"Merely setting up a Twitter, Facebook or YouTube account does not equate to a secure, information-centric social media strategy. Likewise, putting a security policy in place without educating staff and enforcing the policy will not reap the desired results," he added.

Half (50%) of respondents told the researchers they were concerned that social media could pose significant risks to their IT security, but 38% admitted to not having a strategy in place to address it. That could be a problem, as Twitter is enabled by 71% of those surveyed, with only a fifth (19%) actively banning it, compared with 62% enabling the use of Facebook and a quarter (26%) not allowing their staff to use it during work hours.

Banning social media at work is not the answer, said the report. "Those banning the use of social media may be confident that they are avoiding security issues and the reputational damage that comes from a malicious or accidental posting, but they are also withdrawing from a two-way conversation with the public they serve which can be damaging in itself," it said.

Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!