Councils will become the digital kaitiaki for their communities as they negotiate a delicate balance between protecting personally identifiable information and sharing data for the public good. PATRICIA MOORE examines upcoming data security considerations for councils.
The head of the Government Communications Security Bureau recently highlighted the number of cyber attacks being carried out on nationally-significant organisations. “The risks are real and not just to big organisations,” he told the NZ Herald.
Local authorities putting more internet-connected technologies into their infrastructure are not immune. But if data security is a concern today, what will be the situation in 10 years time?
It’s a question that brings to mind Yogi Berra’s famous quote says Privacy Commissioner John Edwards. “‘It’s tough to make predictions, especially about the future.’ Things change in unexpected ways on a regular basis, which makes it difficult – if not impossible – to make accurate predictions about what may happen over the next two, five or 10 years.”
Steve Macmillan is MD of Kaon Security. For local authorities that embrace and harness new technologies the next decade will be an exciting one, he says. “However, security needs to be built in to any projects around these new technologies and not applied as an afterthought.”
And, he says, the human factor will need constant work. “Organisations will need to adopt continuous education about the appropriate use of systems and data – a change in IT culture to make things safe and secure.”
He also cites legislation around increased compliance requirements, and information governance and management, as issues in the future. It’s all about putting data to good use and clarifying who has access to it.
The general consensus is that as the amount of personally identifiable information (PII) stored by local authorities grows, it will become a more attractive target. “The sophistication of external threats will continue to increase as well as the volume of attacks,” says internet consultant Tony Krzyzewski of TonyK NZ.
“The information held by local authorities is becoming increasingly valuable in the hands of hostile players interested in getting personal information for gain.”
While much has been made about the need for individuals to keep their data safe online, this is even more important for local authorities that have a duty of care for data about people who don’t even know they’re online, says Dean Pemberton, InternetNZ technical policy advisor.
“As such they have a special position as digital kaitiaki [guardians] for their community’s data.”
Dean believes the next decade will see local authorities facing a number of challenges including keeping PII secure, and keeping data open when it is not PII and could contribute to the production of a public good.
“A third [challenge] is knowing the difference between the two and doing the right thing when they get it wrong. The tension caused by the first two of these challenges makes the third so much more important.”
Storage of potentially-valuable information and the systems that access it was not typically built with a connected world in mind. Sebastian Kramer – a consultant at IT security specialists SSS – says that, for local authorities, this means gaining a better understanding of how to protect this information. It also means knowing who is accessing and copying it and “becoming more proactive in ensuring its protection and appropriate use”.
According to Steve Macmillan, the availability of skilled, experienced people in areas of strategic security advice through to the correct implementation of technical controls will be another concern. “While aspects of IT security control will continue to be automated and more intelligent, they will be less effective if the foundational aspects of security are not in place.”
Back at SSS, Sebastian Kramer stresses the importance of securing sufficient budget, prioritisation, and ensuring InfoSec becomes part of business-as-usual practice, rather than being seen as an external factor to local authority operations.
“We’re starting to see an increase in spending on IT security outside standard measures, but budgets are limited and very few councils have any specialist internal InfoSec skills, let alone full-time staff.” More and more are looking to outside suppliers, he says.
John Edwards says the skill lies in knowing when to call on these experts and what to ask them. He adds that it’s important councils invest in a base level of knowledge in all staff from entry level to chief executive. “What’s more, there needs to be a ‘privacy first’ culture where people are not afraid to challenge assumptions and call out potential privacy issues.”
Dean Pemberton suggests pooling resources for local authority-focused security operations centres (SOCs) across the country may be the best use of resources – particularly where a shortage of suitably qualified personnel and high costs are issues. Data is all valuable, regardless of the size of the authority that holds it; “SOCs could provide much-needed advice in the trade-off between providing open data while protecting PII.”
Tony Krzyzewski says that with shared services among local authorities already happening this may develop to the point where information and system resource sharing becomes the norm rather than the exception.
John Edwards notes there’s a legal requirement to have a privacy officer in any agency, including councils. “That’s the natural place for expert, specialised privacy knowledge,” he suggests. “Local authorities can improve the value of this knowledge by ensuring privacy officers across authorities talk to each other. Sharing lessons is a really easy way to ensure a little privacy expertise goes a long way.”
Constantly changing systems and technologies, exacerbated by the impact of societal and organisational demands on the use of information managed by local authorities, will continue to be challenging.
As Tony Krzyzewski notes, “We only need look back 10 years to see how cloud computing and the development of shared services have impacted on local authority IT operations.
“Without additional investment and an increased level of support at executive level, local authorities whose security posture has changed little over the past decade, may find it difficult to match the ever-increasing threats to information services over the next.”
- Patricia Moore is a freelance firstname.lastname@example.org
This article was first published in the July 2016 issue of NZ Local Government Magazine.
Read Tony Krzyzewski’s take on the 10 biggest mistakes that IT managers make.