Upload
vunhi
View
226
Download
1
Embed Size (px)
Citation preview
Aon Risk Solutions | Global Sales & Marketing SupportProprietary & Confidential
Cyber Risk for Public Sector Industry
Date: 18th March 2016
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential2
Table of contents
Data Breaches by Industry3
Data Breach Statistics4 - 9
Claims by Business Sectors10
Cyber Risk Framework11
Cyber Security Incidents by Industry12
UK Cyber Security Trends 13
Singapore Cyber Security Plan14
Cyber Liability – Purchase & Adequacy15-
16
US – UK Cyber Security17-
19
Govt IT Spending20-
21
Data Sources22
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential3
Government accounted for about 44% of cyber attack incidents reported during the year 2015
According to ‘Breach Level Index’ database, Government industry accounted for about 44% of data breaches reported around the world across multiple industries during the year 2015.
Healthcare sector was the second most effected which accounted for about 19% and Education was the least effected which accounted for 3% of data breaches reported during the year 2015.
Sources: Breach level Index
Government43%
Healthcare19%
Technology12%
Retail6%
Education3%
Others17%
Top data breach records by industry during the year 2015
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential4
Global Public Sector has reported massive data breaches in the last 3 years
Top 10 public sector industry reported data breaches in the world during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach Sector Category
Dec-15 United State Voters USA 191,337,174 Identity Theft Accidental Loss Government
Jan-15
General Directorate of Population and
Citizenship Affairs, the General Directorate of
Land Registry and Cadaster
Turkey 50,000,000 Identity Theft Malicious Outsider Government
Jul-15 BSNL India 30,000,000 Account Access Hacktivist Government
Apr-15U.S Department of the Interior, U.S. Office of
Personnel ManagementUSA 22,000,000 Identity Theft State Sponsored Government
Jan-15 Ministry of Education (MEBB_S) Turkey 15,000,000 Nuisance Accidental Loss Education
Oct-15 Georgia Secretary of State USA 6,200,000 Identity Theft Accidental Loss Government
Sep-15 The B.C. government and Yukon BC 3,400,000 Identity Theft Accidental Loss Education
Jun-15 Japan's pension system Japan 1,250,000 Identity Theft Malicious Outsider Government
Feb-15The Urban Institute's National Center for
Charitable Statistics (NCCS)USA 1,100,000 Existential Data Malicious Outsider Government
May-15 Saudi Arabia Government Saudi Arabia 1,000,000 Existential Data State Sponsored Government
Top 10 public sector industry reported data breaches in the world during the period: 2013 - 15
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach Sector Category
Dec-15 United State Voters USA 191,337,174 Identity Theft Accidental Loss Government
Dec-13 Country's Supreme Election Committee (YSK) Turkey 54,000,000 Identity Theft Malicious Outsider Government
Jan-15General Directorate of Population and Citizenship
Affairs, the General Directorate of Land Registry
and Cadaster Turkey 50,000,000 Identity Theft Malicious Outsider Government
Jul-14 Benesse Japan 48,600,000 Identity Theft Malicious Insider Education
Jul-15 BSNL India 30,000,000 Account Access Hacktivist Government
Apr-14U.S Department of the Interior, U.S. Office of
Personnel Management USA 22,000,000 Identity Theft State Sponsored Government
Apr-14 Northwestern city of Verden Germany 18,000,000 Financial Access Malicious Outsider Government
Jan-14 Internet country Germany Germany 16,000,000 Account Access Malicious Outsider Government
Jan-15 Ministry of Education (MEBB_S) Turkey 15,000,000 Nuisance Accidental Loss Education
Dec-14 Serbian State Serbia 7,276,604 Identity Theft Malicious Outsider Government
Sources: Breach level Index
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential5
US Public Sector witnessed several massive data breaches during the period: 2013 - 15
Top 10 public sector industry reported data breaches by # of records exposed in USA during the period: 2013 - 15
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach Sector Category
Dec-15 United State Voters USA 191,337,174 Identity Theft Accidental Loss Government
Apr-15U.S Department of the Interior, U.S. Office of
Personnel ManagementUSA 22,000,000 Identity Theft State Sponsored Government
Oct-15 Georgia Secretary of State USA 6,200,000 Identity Theft Accidental Loss Government
Nov-14 United States Postal Service USA 3,650,000 Identity Theft State Sponsored Government
Nov-13 Maricopa County Community College District USA 2,490,000 Identity Theft Malicious Outsider Education
Jul-14 IRS USA 1,400,000 Identity Theft Accidental Loss Government
Oct-14 Oregon Employment Department USA 1,300,000 Identity Theft Malicious Outsider Government
May-14Montana Department of Public Health and Human
ServicesUSA 1,300,000 Identity Theft Malicious Outsider Government
Apr-13 The Washington state Administrative Office USA 1,160,000 Identity Theft Malicious Outsider Government
Feb-15The Urban Institute's National Center for Charitable
Statistics (NCCS)USA 1,100,000 Existential Data Malicious Outsider Government
Sources: Breach level Index
Top 10 public sector industry reported data breaches by # of records exposed in USA during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach Sector Category
15-Dec United State Voters USA 191,337,174 Identity Theft Accidental Loss Government
15-AprU.S Department of the Interior, U.S. Office of
Personnel ManagementUSA 22,000,000 Identity Theft State Sponsored Government
15-Oct Georgia Secretary of State USA 6,200,000 Identity Theft Accidental Loss Government
15-FebThe Urban Institute's National Center for Charitable
Statistics (NCCS)USA 1,100,000 Existential Data Malicious Outsider Government
15-Mar Georgia Department of Community Health USA 557,779 Identity Theft Malicious Outsider Government
15-Jan Metropolitan State University USA 480,000 Identity Theft Malicious Outsider Education
15-Apr Auburn University USA 364,012 Identity Theft Accidental Loss Education
15-May IRS USA 338,000 Identity Theft State Sponsored Government
15-Nov IRS Florida USA 300,000 Identity Theft Malicious Outsider Government
15-MarDepartment of Labor, Florida Department of
Economic OpportunityUSA 200,000 Identity Theft Malicious Outsider Government
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential6
In UK massive data breaches were reported during the year 2015
Top 10 public sector industry reported data breaches by # of records exposed in Canada during the period: 2013 - 15
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach Sector Category
Sep-14The provincial government (Wildfire Management
Branch)Canada 15,000 Identity Theft Malicious Outsider Government
Jan-14 Veterans Affairs Canada Canada 6,405 Identity Theft Malicious Outsider Government
Mar-14 Avon Maitland District School Board Canada 6,000 Identity Theft Accidental Loss Education
Feb-13 Human Resources Canada 5,049 Identity Theft Accidental Loss Government
Mar-15 Ontario education ministry site Canada 5,000 Account Access Malicious Outsider Education
Nov-14 Skillsoft Canada 4,000 Account Access Accidental Loss Government
Nov-15 WorkSafeNB Canada 3,022 Identity Theft Accidental Loss Government
Jul-15
Quebec Parental Insurance Plan Centre, The
Ministry of Labor, Employment and Social
Solidarity (MTESS) and The National Review
Commission website
Canada 2,000 Existential Data Hacktivist Government
Feb-15 Limestone District School Board Canada 2,000 Identity Theft Accidental Loss Education
Sep-15 HMC Dockyard/Royal Canadian Navy Canada 1,086 Existential Data Accidental Loss Government
Top 10 public sector industry reported data breaches by # of records exposed in UK during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach Sector Category
Jul-15 U.S. Army National Guard UK 850,000 Identity Theft Accidental Loss Government
Jul-15 Edinburgh City Council UK 13,000 Account Access Malicious Outsider Government
Feb-15 Havering Council UK 2,248 Account Access Accidental Loss Government
Oct-15 British Gas UK 2,200 Account Access Malicious Outsider Government
Jan-15 Department of Agriculture, Fisheries and Food UK 2,000 Nuisance Accidental Loss Government
Jan-15 Bungled Wycombe District Council UK 1,200 Nuisance Accidental Loss Government
Jun-15 Ministry of Defense Donnington UK 1,000 Financial Access Malicious Outsider Government
Dec-15 Maidstone City UK 870 Identity Theft Accidental Loss Government
Oct-15 Derby City School UK 700 Identity Theft Malicious Insider Government
Oct-15 Irish Water UK 700 Identity Theft Accidental Loss Government
Sources: Breach level Index
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential7
US Army National Guard in UK reported data breach in which about 0.85 million records were exposed
Top 10 public sector industry reported data breaches by # of records exposed in UK during the period: 2013 - 15
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach Sector Category
Jul-15 U.S. Army National Guard UK 850,000 Identity Theft Accidental Loss Government
Oct-14 Staffordshire University UK 125,000 Account Access Malicious Outsider Education
May-13 Glasgow City Council UK 20,143 Identity Theft Malicious Outsider Government
Jul-15 Edinburgh City Council UK 13,000 Account Access Malicious Outsider Government
Aug-14Council Housing Tenants, Social
ServicesUK 13,000 Identity Theft Accidental Loss Government
Apr-14 Aberdeen City Council UK 9,000 Identity Theft Malicious Insider Government
Sep-14 Irish Water UK 6,329 Identity Theft Accidental Loss Government
Mar-14 Renfrewshire Council UK 5,354 Account Access Accidental Loss Government
May-14 University of Nottingham UK 4,751 Identity Theft Accidental Loss Education
May-13 Erlestoke prison UK 3,000 Existential Data Accidental Loss Government
Sources: Breach level Index
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential8
German Government reported large data breaches during the period: 2013 -2015
Top public sector data breaches by # of records exposed in Germany & France during the period: 2013 – 15
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach Sector Category
Apr-14 Northwestern city of Verden Germany 18,000,000 Financial Access Malicious Outsider Government
Jan-14 Internet country Germany Germany 16,000,000 Account Access Malicious Outsider Government
Feb-15Army and Air Force Exchange/Siga
TelecomGermany 98,000 Existential Data Malicious Outsider Government
Nov-14 La Gendarmerie France 2,000 Existential Data Malicious Outsider Government
May-15 TU Berlin Germany 200 Existential Data Malicious Outsider Education
Sept-13The official presentation of the state
government, National Data Center in
Hall Saxony-Anhalt
Germany unknown Existential Data Malicious Outsider Government
Jun-15 City Rheinberg Germany Unknown Existential Data Accidental Loss Government
Nov-15 District of Goslar Germany Unknown Identity Theft Accidental Loss Government
Dec-14 Brandenburg Parliament Germany Unknown Nuisance Accidental Loss Government
Sources: Breach level Index
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential9
APAC public sector reported massive data breaches during the period: 2013 -2015
Top 10 public sector industry reported data breaches by # of records exposed in APAC during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach Sector Category
Jul-15 BSNL India 30,000,000 Account Access Hacktivist Government
Dec-15 IIM-Ahmedabad India 2,000,000 Identity Theft Malicious Outsider Education
Jun-15 Japan's pension system Japan 1,250,000 Identity Theft Malicious Outsider Government
Dec-15 Sakai Japan 680,000 Identity Theft Malicious Insider Government
Dec-15 Malaysian Certificate of Education Malaysia 300,000 Identity Theft Accidental Loss Education
Dec-15 Hokkaido University Japan 112,600 Identity Theft Malicious Outsider Education
Dec-15Japan Health, Labor and Welfare
MinistryJapan 103,000 Nuisance Malicious Outsider Government
Apr-15Principal Controller of Defence
AccountsIndia 50,000 Identity Theft State Sponsored Government
Mar-15 Fit College Australia 11,000 Identity Theft Malicious Outsider Education
Feb-15 University of Sydney Australia 5,000 Nuisance Malicious Outsider Education
Top 10 public sector industry reported data breaches by # of records exposed in APAC during the period: 2013 - 15
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach Sector Category
Jul-14 Benesse Japan 48,600,000 Identity Theft Malicious Insider Education
Jul-15 BSNL India 30,000,000 Account Access Hacktivist Government
Dec-15 IIM-Ahmedabad India 2,000,000 Identity Theft Malicious Outsider Education
Jun-15 Japan's pension system Japan 1,250,000 Identity Theft Malicious Outsider Government
Sept-14 Japan Airlines Japan 750,000 Identity Theft Malicious Outsider Government
Dec-15 Sakai Japan 680,000 Identity Theft Malicious Insider Government
Mar-13 Aadhaar India 300,000 Identity Theft Accidental Loss Government
Apr-13 Government of Maharashtra India 300,000 Existential Data Accidental Loss Government
Dec-15 Malaysian Certificate of Education Malaysia 300,000 Identity Theft Accidental Loss Education
Dec-14 China Railway Corporation China 140,000 Account Access Malicious Outsider Government
Sources: Breach level Index
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential10
Non-Profit sector accounted for a small portion of total claims reported during the years: 2014 & 15
NetDeligence conducts study of cyber liability claims every year to ascertain the impact of cyber liability by industry, company size etc.
Healthcare industry witnessed the highest number of claims vis - a -vis other industries and accounted for 21% of total in the year 2015. The Non-Profit sector accounted for about 4% of the total claims for the year 2015.
Healthcare industry witnessed the highest number of claims vis - a -vis other industries and accounted for 23% of total in the year 2014. Non-Profit sector accounted for about 8% of the total claims for the year 2014.
Sources: NetDiligence Cyber Claims Study – 2014 & 2015
Healthcare21%
Financial Services
17%Retail13%
Technology9%
Professional Services
8%Non - Profit
4%
Others Industries
28%
NetDiligence study - percentage claims by business sectors, 2015
Healthcare23%
Financial Services
22%
Professional Services
10% Retail10%
Non-Profit8%
Others Industries
27%
NetDiligence study - percentage claims by
business sectors, 2014
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential11
Many regulations provide framework and measures to ensure safe and effective transmission of information in USA
In USA many laws or regulations address the measures to be taken to avoid ‘Cyber Risk’ or ‘Information Security Risk’. Some of these regulations include: Cyber Intelligence Sharing and Protection Act, Cybersecurity Enhancement Act of 2013, Federal Information Security Amendments Act of 2012 etc.
Recently few more laws & regulations have come into force to ensure safe transmission of information. These recent Acts include:
– Cybersecurity Act of 2015: Aims to promote safe & responsible exchange of information.
– Cybersecurity Enhancement Act of 2014: Provides continuous & collaborate approach to improve cybersecurity and strengthen cybersecurity research and development, workforce development and education and public awareness and preparedness.
– National Cybersecurity Protection Act of 2014: Codifies an existing operations center for cybersecurity.
– Cybersecurity Workforce Assessment Act: Directs the Secretary of Homeland Security, within 180 days and annually thereafter for three years, to conduct an assessment of the cybersecurity workforce of the Department of Homeland Security.
Other bills related to ‘Cyber Security in USA’ would include:
– Cyber Privacy Fortification Act of 2015, Cyber Intelligence Sharing and Protection Act,
– Federal Exchange Data Breach Notification Act of 2015, Data Accountability and Trust Act,
– Commercial Privacy Bill of Rights Act of 2015, Protecting Cyber Networks Act etc.
US Department of Homeland Security in Virginia, announced a new legislation to be adopted by Congress in order to enhance the sharing of electronic threat information between the private sector and the government, while also revamping the Computer Fraud and Abuse Act, or CFAA – the 1984 federal law that outlines when and what hacking charges can be brought against suspected cyber criminals.
Sources: Crs.gov-federal laws, White House, RT.com
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential12
Public sector industry reported huge number of data security incidents while confirmed data loss cases were far & few
Verizon 2015 Data Breach Investigation Report: Security Incidents by Victim Size & IndustryNumber of Security Incidents Confirmed Data Loss
Industry Total Small Large Unknown Total Small Large Unknown
Public 50,315 19 49,596 700 303 6 241 56
Information 1,496 36 34 1,426 95 13 17 65
Financial Services 642 44 177 421 277 33 136 108
Educational 165 18 17 130 65 11 10 44
Healthcare 234 51 38 145 141 31 25 85
Retail 523 99 30 394 164 95 21 48
Utilities 73 1 2 70 10 0 0 10
Entertainment 27 17 0 10 23 16 0 7
Manufacturing 525 18 43 464 235 11 10 214
Transportation 44 2 9 33 22 2 6 14
Unknown 24,504 144 1 24,359 325 141 1 183
Total 79,790 694 50,081 29,015 2,122 573 502 1,047
Sources: Verizon Data Breach Report-2015
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential13
5 cyber security trends that will dominate the UK public sector in 2016
According to a ‘Public Service Digital Publication: 2015 Global Threat Intelligence Report (GTIR) 40% of malware attacks in the UK were against public sector organisations – which is almost 3 times more than the insurance sector (13%) and 5 times that of the media and finance sectors (9%).
Cyber security is now at the forefront, Public sector have information that would be of interest to cyber criminals looking to take advantage of any weaknesses in their defences. Here are five cyber security trends the public sector should watch in 2016:
– Not enough action and too much reaction: With executives increasingly coming into the spotlight when things go wrong, including CIOS and CEOs, taking action over reaction must go to the top of every 'to do' list for the boardroom agenda.
– Back to basics: The 2015 GTIR highlighted the need for organisations to concentrate on getting the basics right. It showed that a staggering 76% of the vulnerabilities identified had been known for two or more years. Nearly 10% were over 10 years old. Getting the fundamentals right that put risk in context for organisations is the foundation of a coherent and thorough response plan.
– Intelligence-led approach: More widespread adoption of real time monitoring and advanced analytics with businesses responding quickly to incidents based on clear actionable intelligence.
– The resurgence of phishing: Vigilance around phishing emails, particularly spear phishing (targeted attacks), will be important in 2016.
– The ‘Visibility of Things’: The Internet of Things is most often linked to consumer goods, but it is becoming a more common idea within the public sector. From a security perspective, these new connected devices must be managed in line with an organisation’s overall security strategy. This will lead to the ‘visibility of things’, the need for organisations to monitor devices and the way they are being used.
Sources: Public Service Digital
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential14
Singapore has initiated National cyber security masterplan for public sectors
The infocomm security masterplans provide the strategic directions to guide Singapore's national efforts to enhance cyber security for public, private and people sectors.
The first Infocomm Security Masterplan (2005-2007) initiated Singapore’s coordinated approach to secure Singapore’s infocomm environment with key emphasis on providing public sector with capabilities to mitigate cyber threats.
In 2008, the ISMP was succeeded by the second Masterplan (2008-2012) that strove to make Singapore a ‘Secure and Trusted Hub’ with special attention paid on the nation’s critical infocomm infrastructure (CII).
A new five-year National Cyber Security Masterplan 2018 (NCSM2018) will continue to reinforce Singapore’s cyber security by intensifying efforts in the Government and CII as well as the wider infocomm ecosystem which includes businesses and individuals. It is developed through a multi-agency effort led by IDA under the guidance of the National Infocomm Security Committee.
The vision of NCSM2018 is for Singapore to be a “Trusted and Robust Infocomm Hub” by 2018. It aims to engender a secure and resilient infocomm environment and a vibrant cyber security ecosystem. The three key areas of NCSM2018 are to:
– Enhance the security and resilience of critical infocomm infrastructure
– Increase efforts to promote the adoption of appropriate infocomm security measures among individuals and businesses
– Grow Singapore’s pool of infocomm security expert
Sources: iDA.gov
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential15
Majority of the respondents from the Government, education & non-profit sector reported non-purchase of cyber insurance
According to Aon’s Global Risk Management Survey 2015 report, 28% of the respondents from the Government Public sector had already purchased cyber insurance.
However, 67% of respondents had neither purchased cyber insurance and nor had plans to purchase. A very minute portion of respondents (6%) had plans of buying cyber insurance.
Education & Non-profits (which is assumed to be a part of the public sector) industry had about 32% of its respondents who had purchased cyber insurance. About 43% of respondents had neither purchased cyber insurance nor had plans to purchase the same.
26% of respondents belonging to ‘Education & Non-profits’ industry had plans to purchase cyber insurance.
28%
50% 49% 42% 39% 35% 35% 32%
57%
67% 24%36%
37% 46% 49% 55%43%
42%
6%
26%15% 21% 14% 15% 10%
26%
2%
Aon Global Risk Management Survey 2015, Purchase of Cyber Insurance Coverage by Industry
Plan toPurchase
Not purchased& No Plans toPurchase
InsuranceCurrentlyPurchased
Sources: Aon Global Risk Management Survey 2015
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential16
Majority of the respondents from the Government & education & non-profits industries felt existing cyber policy offered effective & adequate coverage
According to Aon’s Global Risk Management Survey 2015 report, about 100% respondents from ‘Government Sector’ were pleased with the effectiveness of existing cyber liability.
About 87% of respondents from ‘Educational & Non-profits’ industry were satisfied with the effectiveness of existing cyber liability.
According to Aon’s Global Risk Management Survey 2015 report, about 60% of respondents from ‘Government’ industry felt that current cyber coverage provided adequate cover from cyber liability.
Around, 67% of respondents from ‘Educational & Non-profits’ industry felt that current cyber coverage wasn't adequate to provide cover from cyber liability
100%87%
100%
83%
57%
16%
76% 73%
100%
67%
Aon Global Risk Management Survey 2015, Effectiveness of Current Cyber Insurance by Industry
60% 63%
48%
95%
71%64%
76%
57%67%
Aon Global Risk Management Survey 2015, Adequacy of Current Cyber Insurance by Industry
Sources: Aon Global Risk Management Survey 2015
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential17
U.S. government hacked, largest data breach in public sector history
In June 2015, the United States Office of Personnel Management (OPM) announced that it had been the target of a data
breach targeting the records of as many as 18 million people.
The data breach, which had started in March 2014, and may have started earlier, was noticed by the OPM in April 2015. It
has been described by federal officials as among the largest breaches of government data in the history of the United States.
Information targeted in the breach included personally identifiable information such as Social Security numbers, as well as
names, dates and places of birth, and addresses.
On July 9, 2015, the estimate of the number of stolen records had increased to 21.5 million. This included records of people
who had undergone background checks, but who were not necessarily current or former government employees. Soon after,
Katherine Archuleta, the director of OPM, and former National Political Director for Barack Obama's 2012 reelection
campaign, resigned.
Sources: BBC News
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential18
City councils in UK have paid massive fines for data breaches & privacy breach incidents
Sources: Computerweekly publication; ICO publication; Islington Council Publication; Computerworlduk publication; Computerworlduk publication
Major Public Sector Data Breaches & Fines in UKMonth/Year Organization Quantum of Fine Reason for Penalty Country Source
Jan-16 Midlothian Council £140,000
Council shared sensitive personal data about children and their
carers to unauthorized people on 5 occasions during the period:
January to June, 2011
UK Click here
Nov-15 The Crown Prosecution Service £200,000
Information/videos containing police interviews/investigations were
sent to a Manchester-based film company for editing. These videos
were not kept secure
UK Click here
Oct-15 Islington Council -
Council discovered third major data breach in the last 4 years. This
time personal details including medical information and prison
records were freely available on the council’s parking appeals
website
UK Click here
Aug-13 Aberdeen City Council £100,000An employee of the Council posted sensitive information relating to
the care of vulnerable children onlineUK Click here
Aug-13 Islington Council £70,000Council released sensitive information of about 2,000 residents
online. ICO imposed a fine of £70,000UK Click here
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential19
Human error blamed for more than half of UK public sector data breaches
More than half of data breaches in the UK public sector originate from someone who has access to the systems, with loss in
many cases being accidental or due to human error, according to the Public Sector Data and Information Security
Survey.
Data loss due to internal access could be explained to an extent due to multiple data ownership. Over 80% of respondents
claimed to be 'data owners', who can authorize or deny access to certain data. The 'data owners' are responsible for
accuracy, integrity and timeliness, but 19% of data owners didn't know how many other data owners were there within their
organization.
The survey covered 600 individuals from the entire public sector, with 68% of them belonging to local authorities, healthcare
and education; 28% of respondents were either at director or C-suite level, and 20% had either 'information' or 'IT' in their job
title.
The survey was undertaken to enable public sector employees to compare their practices with other organisations and
identify specific areas of concern, with the advent of the new the General Data Protection Regulation (GDPR) across the 28
EU member countries.
A part of Article 8 of the European Convention on Human Rights, the GDPR replaces individual data protection acts across
the EU, and could be a challenge to data owners and practitioners.
The survey revealed that 65% of the respondents have serious concerns regarding data security within their organization,
with simple loss of data and errors of staff being the biggest concerns (60%), followed by compliance and IT system failures
(40%).
External hacking was a concern for more than 35% of the respondents, while the least concern was about denial of service
by hackers.
According to the survey, 60% said data security lapses in their organisations happened due to errors of staff, while 40% said
the breaches were because of simple loss of data.
Sources: Computer Business Review
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential20
Government dependence on IT systems
E-Government Infrastructure
•National Broadband Connectivity
•Management Optimization
•Public Management Systems
Online Services
•E-taxes, License and fine payments
•E-Voting
•Public tender system
•Applications for public services
•Citizen email
Public Utilities & Critical Information
Infrastructure
•Electricity
•Gas
•Water
•Communications
•Media
Information storage has grown in volume and significance in the last decade as public sector responsibilities around service
delivery expand in the digital age. To put a figure on the volume of data governments are now dealing with, it was estimated that
US federal agencies alone store around 1.6 petabytes of data, and this is expected to grow to 2.6 petabytes by 2016. A data
center that is currently being built by the National Security Agency of the USA is estimated to have the capacity to store
between an Exabyte and a Yottabyte of data.
Types of Data Stored on Government Systems
Public Documents & Information
Sensitive Public Data
Internal Government Communications, Documentation, Email
Exchange Data
National Security & Defence Information
Intrinsic Data Commercial Data Personal Data
Sources: TRPC-2015 Cyber Threats To The Networked Government
Government Dependence on IT Systems
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential21
IT Spending by Governments
According to IT research and advisory firm Gartner, government organizations worldwide have spent around USD449.5
billion on IT projects (in 2013) down 0.1 percent from the previous year. However, this projected slowdown has to be taken in
context of previous spending: while the US, perennially the biggest spender, has slowed government IT expenditure in 2013,
between 2001 and 2012 government IT spending by the US increased from USD46 billion to USD81 billion, almost doubling
in the decade.
Australia’s public sector IT spending, is expected to post a year-on-year growth of 2.2 percent, to reach AUD10.7 billion by
2017. Most of these investments will be on software. New Zealand is also expected to grow its spending by 1.4 percent to
reach more than NZD1.6 billion. The trending growth areas in public sector IT spending are seen in mobile technologies, IT
modernization and cloud computing. Globally, spending on public cloud infrastructure is expected to reach nearly 108 billion
by 2017.
In 2014, the US government Department of Defense budget included an unprecedented USD447 million for the US Cyber
Command with an additional USD792 million for the Department of Homeland Security Cyber security team.
The UK government is spending GBP650 million between 2011 and 2015 on cyber security. In comparison however, the
Indian government budgeted just USD7.76 million for cyber security.
By 2020, 75 percent of IT budgets are projected to be set aside for rapid detection and response approaches – up from less
than 10 percent in 2012. Two problems arise for procurement professionals in Asia – the rise of infected computers and the
lack of experience in dealing with actual threats.
Sources: TRPC-2015 Cyber Threats To The Networked Government
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential22
Sources
Sources used for the study:
Breach Level Index database.
NetDiligence Cyber Claims Study – 2014 & 2015
Whitehouse News
Crs.gov-federal laws, RT.com
Verizon Data Breach Report-2015
Public Service Digital
IDA.gov
Aon Global Risk Management Survey 2015
BBC News
Trend Micro-OAS Country Survey
Computer Business Review
Best’s Review – 2016 a guide to cyber insurance
TRPC-2015 Cyber Threats To The Networked Government