London, 21 May 2015 – Research conducted by Six Degrees Group (6DG) has revealed that there is a significant gap in data security protection amongst Local Authorities (LAs) in the UK, with 55% reporting breaches of ‘official’ data in the last two years. 6DG’s Freedom of Information request, sent to all 433 UK LAs, highlights that a staggering 60% of LAs don’t know how much sensitive ‘official’ data they hold, or where it is kept, with one authority suffering 213 data breaches in just two years.

Although 34% said they had suffered no data breaches over that period, these statistics demonstrate that UK councils lack comprehensive knowledge of security measures and are unaware of the options available that would both enable and improve the protection of their ‘official’ data.

The 6DG research has further revealed that 66% of LAs are unable to report on how much of the data they store is sensitive and, if it is, how it should be managed in relation to the new CESG ‘official’ security classification guidelines. The new security classifications (official, secret and top secret) were introduced by the government in 2014 to replace the Impact Level (IL) ratings. The introduction of the new classifications seems to have caused some confusion as many of the LAs appeared unsure of the mapping from ‘IL2/IL3’ to ‘official’ which is likely reflected in their data governance plans.

There is also a lack of clarity surrounding the whereabouts of ‘official’ data, with 61% of respondents unable to say whether theirs is held internally or externally. Only 2% reported that at least half their ‘official’ data was held in the Cloud, with 37% storing the majority of their data ‘on-site’.

parliament

The Security Audit Divide

The 6DG research highlights that over half of UK councils are struggling to implement measures that will enable them to optimise, enforce and measure data security. When asked about their approach to security audits and their use of accredited security consultants, 45% of LAs revealed that they had no record of whether a security audit had taken place in the last two years. Of those which had completed audits, there was a marked disparity between the frequency required over a two year period. When asked whether they had used an accredited CESG consultant as part of their security compliance strategy in the previous two years, over 60% of respondents had no record of using one at all, with 39% using the CESG Listed Advisor Scheme on fewer than five occasions in the same period.

“This insight reveals a huge gap in approach within LAs across the UK, with a worrying majority lagging in their understanding of the actual position they are in regarding data security, let alone bringing protection up to standard,” commented Campbell Williams, group strategy and marketing director at 6DG.  “We see less than half of them classify their data to an officially recognised standard and have regular audits in place to protect their data; this small percentage appears to be in a reasonable position as they aren’t suffering breaches.  The rest are struggling – breaches are commonplace – and what is equally as worrying is the serious lack of insight they have into their own situation.  These Authorities need to act very quickly or more sensitive public data will be lost to potentially criminal sources.”

*Data sample: Freedom of Information Requests sent to 433 UK Local Authorities, research completed by March 2015.  Replies received from 302.