Skip to the content


What can we learn from the UK government's data security flaws?

Data security

In a recent report - entitled 'Protecting information across government' - the UK's National Audit Office (NAO) has criticised the country's government over its attitude to data security. The organisation found that the safety of online information is not prioritised as it should be, and as a result, important data could be at risk.

This can already be seen in some instances. The 17 largest departments in the UK government suffered a combined 8,995 data breaches in 2014 and 2015, while GCHQ - the UK's data security and intelligence agency - has seen national cybersecurity incidents double in just a year, from 100 per month in 2014 to 200 per month in 2015.

Part of the issue, according to the NAO, is a lack of centralised leadership. The UK has 12 separate organisations in the centre of government with responsibility for aspects of protecting information, and 73 different teams covering security in central government departments.

The report stated: "None of the departments we interviewed understood the specific roles of the various bodies involved, making it difficult to identify any single arbiter of standards or guidance."

So, what can the UK do to improve this situation? And what can other organisations learn from it? Data security is an important aspect of everything from small businesses to multinational corporations, and the following lessons can be implemented in many different scenarios.

Take the lead

One of the steps the UK government is taking is to have a more active role itself, rather than relying on a variety of private sector organisations to handle elements of its cybersecurity. Ciaran Martin, head of the UK’s new National Cyber Security Centre (NCSC), has said the government will be taking a more active role in this issue in future.

Speaking at the Billington Cyber Security Summit in Washington DC, Mr Martin said: "There's a legitimate role for the government in taking a lead." The theory behind this view is that centralising data security means efforts can easily be monitored and coordinated, while the chain of escalation and command will be clear.

This is something all organisations can learn from. Outsourcing data security is fine, but splitting duties among multiple groups can easily make their efforts much less effective. Having a central policy and a strong set of guidelines will also help to improve this.

Have an active defence

Another point Mr Martin brought up was the UK desire for a more active defence network. Essentially, rather than tackling each attack as it happens, the NCSC intends to put a series of measures in place to anticipate future attacks and defend against them before they occur.

For example, one of these is automated takedown requests that are sent out to hosters, registrars and other entities. These are an aggressive way of dealing with commodity attacks, and the new approach appears to be working.

Mr Martin pointed out: "Looking at phishing attacks against UK government brands, the median time the phishing site is up has dropped from 49 hours to five hours. A clear, verifiable improvement."

When organising your own cyber defences, it is important to prepare for the future and have systems in place to immediately deal with attacks. It is no good simply waiting and dealing with each incident as it occurs; take the UK government's example and start striking back at cybercriminals with an active defence.

Monitor your systems

Of course, methods of dealing with threats are relatively useless if you are not aware the threats are occurring in the first place. Monitoring your systems is an essential part of data security, so you can be immediately aware if anything looks suspicious and deal with it accordingly.

This is something that John Streufert, director of federal network resilience at the Department for Homeland Security, recommends. As reported by, he has recommended that organisations implement daily monitoring, as he does with his department.

"The entire discipline encourages that we are assessing our risk on a more continuous basis," Mr Streufert said. "What gets watched, gets worked." This has enabled the US government to be more flexible about its approach to data security.