Mike Patchett, pictured, Head of Public Sector at Lakeside Software explores the challenges of protecting government data on employee’s work devices in a rapidly changing digital workspace; and how to go about it.
Public sector organisations store and process a vast amount of highly sensitive data about their citizens on their devices. Whether it is personal identification information, financial data as well as medical information, it is crucial to protect these devices from theft, inappropriate access or malicious breaches.
Data breaches erode trust and are often accompanied by financial losses. Failure to adhere to legal and regulatory stipulations particularly in the protection of sensitive information can lead to fines and legal action, not to mention loss of reputation. Finally a breach in data security that causes IT downtime affects the productivity of a team which, in turn, impacts how effectively it can serve its customers.
The IT devices used by public sector employees for work are particularly vulnerable to data breaches – all the more so now that remote and hybrid work has become integral to daily life. Like many businesses during the pandemic, public sector organisations such as the Department for Work and Pensions (DWP) for example, have had to very quickly adapt a new mode of remote or hybrid work. Employees and teams that are working remotely have to access information to allow them to carry out their roles and now have devices that contain highly sensitive government assets. Protecting these devices is essential to securing such information.
Public sector organisations face several challenges when it comes to protecting their employees’ devices.
Organisations such as DWP and the NHS require large scale deployments, where there is a need to secure vast numbers of devices including laptops, desktops, mobile devices as well as servers; these are spread across multiple locations. A situation arises where the organisation not only has a considerable number of devices to secure but also each employee may have different levels of clearance as to what information they are able to access. Furthermore, due to the highly sensitive nature of the information on public sector IT hardware, it is these very devices and networks that become high-risk targets for cyber attacks or unlawful breaches.
Securing public sector information on devices is all the more complex and time consuming as these organisations are held to a number of regulatory standards and compliance stipulations and standards, including General Data Protection Regulation (GDPR). Given the requirements to balance the unique security needs of public sector organisations with their budgetary and legacy systems, a considered approach to protecting devices is needed.
Here are a few actionable recommendations when protecting public sector devices:
Carry out a comprehensive inventory of all the devices that employees have access to, their associated risks. Next, conduct a thorough risk assessment to identify and prioritise the most significant threats and vulnerabilities to those devices.
Put policies and procedures in place to ensure that employees’ work devices are secured and regularly maintained and review those procedures regularly. These policies should be clearly communicated to staff.
Deploy crucial security measures including firewalls, anti-malware and encryption to protect devices from cyber attacks.
Educate employees regularly with awareness programmes to ensure they understand the importance of device security and have the necessary skills and knowledge to help protect their devices.
Keep track of what types of information each employee should be able to access and have an overview of where and how the devices are being used.
The final step is crucial with the increase in remote working among public sector organisations. For example, when its workforce started remote working, DWP needed a platform it could deploy quickly in response to the changes in workforce locations due to the pandemic. Lakeside Software was able to support DWP’s efforts to protect highly sensitive data on work devices. Lakeside Software was able to quickly deploy a solution that was non-intrusive, auditable, and GDPR compliant.
Cloud-based solution SysTrack gathers and analyses information on anything that impacts end-users digital experience and productivity, while providing full visibility to IT teams to secure data across a workforce. Leveraging the SysTrack software already deployed on its devices was not only cost-effective but meant the DWP could collect IP addresses for each active connection and the connection date/time, using the data to cross-reference this information with publicly available records to identify the country where the asset was located.
DWP could then map devices to countries, and display relevant insights in a single location. This solution has resulted in DWP’s security and asset management teams being able to identify where DWP data is being put at risk and address those risks where necessary.
In this way, using solutions where organisations can have unmatched visibility on the use of their devices, data and usage, they can quickly take steps to lock out the device or disable network connectivity and authentication for that user if a risk is presented, such a device being used outside the UK or on a personal VPN that that terminates in a foreign country.
A rapidly changing digital workforce where employees work remotely and have access to highly sensitive information requires a considered approach that balances a number of criteria. As part of the approach to secure public sector devices, a solution that can give IT teams as much visibility of its device usage as possible while balancing compliance and budgetary needs is the way forward.