The level of trust in an organisation affects the levels of use and engagement with its services. Where there is choice, such as private sector services including banks, insurance providers or utility services, consumers will choose the provider they believe will provide the best value and quality of service.
Where they don’t trust the service provider, perhaps if they have received poor service or the organisation has suffered a significant data breach, the consumer can easily move to another provider. However, in cases where there isn’t an obvious alternative, such as local authorities or the police service, citizens may ultimately avoid contact with the services they don’t trust.
This can have a direct impact on how well public services meet the needs of the public. The danger here is that if citizens are less willing to use or support services such as the police in reporting crimes or acting as witnesses, it can have an adverse impact on crime prevention and detection. Clearly, a lack of trust can impact both the citizen and service provider.
But can trust be improved? The answer varies across different organisations and at different levels. Often trust will reflect the public view of the government’s handling of a crisis or large event and this can be difficult to influence on a smaller scale. However, trust in local authorities or the police service can often be detached from trust levels in government or parliament, and there are steps that local public sector organisations can take to be credible and trustworthy.
These can include the way in which they handle citizen data – having confidence in how your local authority handles and protects your data can go a long way in building credibility and trust. For example, a high-profile data breach and a subsequent fine from the Information Commissioner’s Office for inadequate security controls or processes, will likely reduce public trust in your organisation.
Sometimes knowing where to start in terms of security can seem quite daunting, so here are some measures that can be implemented to improve security and reduce the risk of data breaches in your organisation:
Security foundations
Often we spend a large proportion of our limited budgets on new products and technology, but we don’t always get right the foundations which are vitally important to reducing the risk facing your organisation. These include implementing access control to ensure that your employees have the right level of access to perform their role and adopting the least privilege concept where employees only have access to what they require. Other steps include patching your equipment (servers, laptops, desktops, etc) on a regular basis, installing malware protection, reviewing rulesets on boundary firewalls and gateways and ensuring secure configuration of your equipment.
Information security awareness training is a low-level expense to organisations and provides effective results. Train your staff on policies and procedures so they are educated as to what they should and should not be doing. Provide education through a multitude of methods – a post on your intranet site, classroom-based sessions and drop-in clinics are all effective methods. Deliver training in a way that is suitable and applicable for your audience. Front line customer service staff won’t comprehend technical jargon so deliver your message in a way that they will understand. Using rhymes such as “Control, Alt and Delete before you leave your seat” and “it’s absurd to share your password” work as these are memorable and have an element of fun that encourages the message to stick. The insider threat is the largest security concern within any organisation, make sure you address it through the education of staff.
Policies and Procedures
Policies and procedures are key in providing guidance to employees. Here, avoid using jargon – the reader needs to understand what is being communicated to them within the policy. Make your policies and procedures readily available to all staff and keep them up to date.
Conduct regular penetration testing of your organisation’s systems and network. It is vital to know if any vulnerabilities exist. Follow up any penetration test to manage the vulnerabilities found and track their progress right through to remediation.
Tabletop exercises can also help organisation examine their processes in a “test” environment. It is great to have procedures, but do they work in practice? Conducting an exercise of this nature and bringing together those individuals that will invoke the procedure in a real situation is a worthwhile exercise – it raises people’s awareness of their role and responsibility, tests your response capacity, and most importantly will test the merit of the procedure.
Certifications and Accreditations
Certifications and accreditations such as PSN, ISO27001, PCIDSS and Cyber Essentials + are not just pieces of paper – they bring a real sense of achievement and pride to any organisation. I have found that after undertaking the journey towards compliance employees want to keep security at an optimum level, they have been instilled with a new positive outlook on security. Non-Information Security personnel are able to see the result (the certification or accreditation award) of the work they have put in. They gain a newfound respect for their organisation and want to ensure the accreditation is retained. Certifications and accreditations also show the outside world that the organisation takes security seriously and provides the consumer with reassurance that their personal data is secure.
The monitoring of systems, applications, user activity, and external connections is crucial to the awareness of everyday activity and detecting any changes from the norm. A SIEM (Security Incident and Event Monitoring) system is recommended for this which allows alerts from multiple servers and desktops to be reported upon in one central location. Organisations looking to invest in a SIEM need to consider whether they have the skills and capacity internally to manage the alerts, or whether it would be better placed as a managed service – for example, tasking a third party SOC (Security Operations Centre) to manage these alerts and investigations on your behalf and work with you to address the root cause.
Implementing these measures together will help increase the level of security within your organisation, reduce your level of risk exposure and help to build and maintain public trust.