Here is another example of a data breach at a council. Although breach implies someone broke in and stole the data – as opposed to what happened which was that the Council employees themselves just sent the sensitive information out as part of a Freedom of Information (FOI) request – and this data was then subsequently published on another website.
I’ll not bore you with the excuses or apologies.
Bedfordshire council published details of pupils online – BBC News
The information was details about children’s special education needs – obviously this type of information is subject to the GDPR provisions in the Data Protection Act. The ICO is examining the case.
When we are working with organisation on cyber security and GDPR, we start off with the most basic of concepts:
Classify your information thinking about
C – confidentiality – rank your information, is it secret, is it PII, is it…
I – integrity – consider how the integrity of your information is maintained
A – availability – now you have to make it available for people (or software) to work with it, so how will that impact the above?
But then consider the following it will help frame how you manage the above three points:
A – authentication – make should you know who is accessing your information – use MFA and passwordless access wherever possible
A – authorisation – once you absolutely know who is accessing your systems, implement the “principle of least privilege”
A – accountability – always know and record who accesses what and when.
For all the above to work you need policies, procedures and work routines in place that enable your team to work but will stop the stupid issues arising and having to apologise.
This is all stuff we are covering in our Cyber Security Master Class this week.
Clive Catton MSc (Cyber Security) – by-line and other articles