Cybercrime is clearly a big problem and the nation-state risk has been well publicised and then there’s been a lot of scaremongering around it. What is the truth regarding the need to protect and should organisations look for on premise security or is cloud better?
My first view is that the risk for all of us is in the battle between the cyber criminal, whether they are state actors or whether they’re just criminals. In that battle between them and the citizen we risk entering into a security arms race which will very quickly lead to casualties in terms of affordability.
I don’t feel qualified to say, as an absolute, that cloud is safer than on-premises infrastructure. However, the majority of organisations will never be able to spend the amount of money that the likes of Microsoft do spend on security and, as the need for security becomes more and more critical, that could mean organisations end up spending lots and lots of money they can ill afford.
Is it a case therefore that cloud is more secure by default? Could you argue that there is an inherent level of protection built in by the tech giants because their reputations on the line?
I think that’s my instinctive feeling, yes. What authority have I got to say that? Well, when we considered moving policing to the cloud, which we are doing – the national programme I am SIRO for is moving office files and documents onto the cloud (not intelligence files) – we looked at the security risk assessment. Essentially, I’m the Information Risk Owner, so I need to be sure of the security of what we are doing and the security of the information. What came out of that was the regimes that the big organisations build around their cloud networks mean that it is secured. The default starting position is more secure, although we of course the reality is that we are also subjective to loss of data from our own people.
I think that’s a very long-winded way of saying in broad terms, for general use for businesses and people, that the cloud is a secure way of doing business. For the individual citizen as well, if you think about it, if you store all your personal information on your local PC, your hard drive and that gets corrupted or somebody to have malware, then you’ve lost it. If it’s stored in the cloud, it’s a lot more secure.
Based on your experience with what you’re doing with police data and the cloud, do other public sector organisations need to pull together on this and by pulling together, does it then facilitate safer, easier sharing of data?
I think everyone’s looking at the issue of secure data – including the likes of the health service. Interestingly, I gave a presentation not that long ago to a London health trust about cyber security. They asked me that very question around whether anyone in the health service is looking at this across all the breadth of the NHS. The good news, I subsequently found out, is that they are!
What I would say is that I’m really keen to share my experience in policing with other public sectors. However, I’m not quite in a position to do that yet, because I haven’t actually done the move yet! We’ve got a couple of forces that are good to go, and work has started on migrating them to the cloud. If that works, the rollout will begin in earnest next year. At that point I’ll be properly ready to share my experience with other public sector organisations, particularly local government, who I think need some support if I’m honest with you.
Do you think that by sharing experiences around data, cloud and security can help the public sector take advantage of the fact that cloud can be the great enabler of transformation?
Undoubtedly, yes. I think there’s an element of the unknown that needs to be overcome and anything we can to do share experiences – good and bad – can help. For example, I’m really keen to emphasise one lesson I quickly learned – that we need to try as best we can to work on improving how we store our data, before we make the big move. The reason for that is partly because you don’t want to move it, even though the cost per gigabytes or whatever is significantly less than it used to be.
The other issue is that if you have sorted out your data, it will be far easier to share it with other organisations. Bluntly, we don’t know all the data that we currently hold in policing. That means we don’t have the ability to share it with anyone else. That’s an issue for us. It’s a bit like moving house isn’t it? You should really use the opportunity to spring clean and chuck out the chintz and declutter, so that you’re only paying for one removal van instead of two.
Will sorting out data storage encourage greater data sharing?
Yes. I think it will. I think already the tools that we’re using in the programme that I’m SIRO for, will by nature encourage that. What do I mean by that? On one level, all we’re doing is we’re moving our storage of data from hard servers to the cloud, that’s not really the issue. The issue is that we’re adopting the Office 365 platform which is cloud based, but actually it has the tools that enable us to do far more effective working.
Things like Skype for Business and the ability to link in with partners is far more significant than we have available at the moment. In those areas that we’re currently piloting, Cumbria most notably, there are examples already where they’ve got a missing person and they’re immediately setting up telecoms with local authorities and other agencies to share data. It’s a real driver and enabler of data sharing.
Do you see any barriers to data sharing?
We’ve got a little bit of a challenge, I think, which I don’t want to overplay, with the GDPR legislation. Unfortunately, it’s militated against sharing, which worries me. I always think instead of a Data Protection Act, we should have a data sharing act. As far as I’m aware, unless somebody’s going to tell me otherwise, nobody’s died as a result of sharing information with good intent. But people have died because data hasn’t been shared. To me it’s a no-brainer.
I think people got a bit worried about being prosecuted and all the massive fines that the Information Commissioner can levy under the act. If you listen to the Information Commissioner, which I have on many occasions, she gets frustrated that when you talk about GDPR conversation quickly shifts to the big fines. That’s despite her emphasising over and over again that fines are the last thing the ICO wants to be doing.
That is a challenge and one we need to work through. That’s because cloud gives us is the chance to be far more effective in our sharing of information. We can’t miss out on that.