The MoD has published its annual report and accounts. It is a whopping 217 pages long and takes some reading to get through. One organisation that has already been through it, Parliament Street, has already started flagging up areas of concern. One of these is the number of data breaches (546) which is a rise of 18% on 2018/19.
Most of the breaches were for unauthorised disclosure, a catch-all category undefined in the report. However, seven incidents were deemed as very serious. All of these were reported to the Information Commissioner’s Office (ICO) for further action. However, the report does not say what action the ICO took, nor are there any details on the ICO website. It suggests that these are incidents waiting to be dealt with.
One category of breach not mentioned in the report is that from personal devices. Like any organisation, the MoD has large numbers of individuals with wearables, mobiles and other IT devices. Many of these have been shown to leak data such as fitness apps and social media. There is no mention of these under the Corporate Governance Report or the section on Cyber.
Enterprise Times asked the MoD for more information about the unauthorised disclosures and breaches caused by personal devices. At time of going to press, no reply had been received.
What other breaches did the MoD suffer?
There are two tables in the report. The first lists the seven incidents reported to the ICO that affect individuals’ data. It includes the nature of the incident and the number of people affected.
The second lists all other incidents that occurred, such as unauthorised disclosures. Losses from within secured Government premises show an increase of over 20% on 2018/19 and will concern the MoD. However, it avoids detailing whether any of these included classified materials.
Cybersecurity expert Tim Sadler, CEO, Tessian, said: “Time and time again we see how simple incidents of human error can compromise data security and damage reputation. The thing is that mistakes are always going to happen. So, as organisations give their staff more data to handle and make employees responsible for the safety of more sensitive information, they must find ways to better secure their people.
“Education on safe data practices is a good first step, but business leaders should consider how technology can provide another layer of protection and help people to make smarter security decisions, in order to stop mistakes turning into breaches.”
Enterprise Times: What does this mean?
Like many other government departments, the MoD handles vast amounts of classified information. One of the challenges it faces is how widespread that information is and how to keep track of it. Mistakes do happen, and many of these incidents are likely to be just that. However, in the current cyber threat climate, the MoD is seeing a substantial number of attacks from outside agencies targeting materials it holds.
This report lacks any details on what has been lost and how, with seven exceptions. Was the data misplaced/lost/stolen internally or via a cyber-attack? Was the material related to current military operations or levels of preparedness?
The MoD has moved a long way over the last 20 years in terms of transparency as this monster of a report shows. However, it is still too often obscuring every incident for fear or disclosing more than is necessary.
In addition to the threats to information held by the MoD, there is much still to be done in terms of personal cybersecurity training for serving personnel. Information spread over social media or trackable through wearables is too easy to gather. Without better training, the MoD will find that security gets harder and harder.