An analysis of the data by the Parliament Street Think Tank has heightened concerns surrounding cybersecurity integrity within public sector organisations. In total, the inquiry revealed that the MoD saw 546 reported incidents of potential data breaches in the most recent financial year – an increase of 463 on figures from the previous year (2018/19).
On top of this, seven cases were deemed so severe that they have been escalated to the Information Commissioner’s Office (ICO) for further investigation.
A deep dive into the data showed that 49 reports were classified under ‘loss of inadequately protected equipment, devices or paper documents from secured Government premises’, in the most recent fiscal year, with a further 19 incidents reported from outside of government premises. There were also 454 incidents recorded under the general category of ‘unauthorised disclosure’.
Seven of the most critical cases were reported to the ICO and the MoD Security Incident Reporting Scheme (MSIRS) for further analysis. In July 2019, a sub-contractor incorrectly disposed of MoD-derived material, resulting in the unauthorised disclosure of the personnel and health data of two former employees. Meanwhile, in December 2019, criminal investigation files were lost during an archiving process, potentially putting 16 people at risk.
In February last year, a recorded delivery package containing the claim for forms of five individuals was lost in transit between two stations, containing personnel and health data; while one month later in March, a whistleblowing report that had not been properly anonymised was issued on the subject of the report. Although the document was deleted 32 hours after issue, it threatened the personal security of at least nine individuals.
“Time and time again, we see how simple incidents of human error can compromise data security and damage reputation,” said Tim Sadler, cybersecurity expert and CEO of Tessian. “The thing is that mistakes are always going to happen. So, as organisations give their staff more data to handle and make employees responsible for the safety of more sensitive information, they must find ways to better secure their people.
“Education on safe data practices is a good first step,” he added, “but business leaders should consider how technology can provide another layer of protection and help people to make smarter security decisions, in order to stop mistakes turning into breaches.”