The UK government has just released its long-awaited Information Security Review, following pressure from the Science, Innovation and Technology Committee chair.
The review itself was triggered by a string of high-profile public sector breaches. Including the PSNI spreadsheet leak exposing officers’ identities, misdirected MoD emails, and staff using WhatsApp to share patient data.
The common thread? These incidents were not the result of external threat actors – but human error, enabled by poor processes, and gaps in governance.
I have taken some time to read and consider this report, with three things standing out to me as being recurring themes in this industry:
- Uncontrolled data exports – sensitive datasets not being redacted accurately or correctly before being shared publicly, or datasets being shared in a way that leaves them exposed to access by the wider public.
- Email errors – misaddressed mail or visible CC fields inadvertently exposing other people’s personal details.
- Hidden data in documents – personal info left lurking in spreadsheets or metadata that went public.
None of these are “sophisticated attacks” they’re mistakes, often made in good faith, but with devastating impact.
Lessons for CISOs and IT Leaders
The review highlights areas every organisation should be thinking about:
- Control data exports: Monitor, approve, and apply DLP to large downloads. Utilize existing Data Loss Prevention Technologies to help catch honest mistakes before they manifest in disaster!
- Sanitise files before release: Avoid Excel/Word for public outputs – convert to CSV/PDF to strip hidden data. Incorporate Separation of Duties or a Multi-Person process around data sharing and exports to ensure that there is more than one chance to catch inadvertent data disclosure.
- Prevent email mishaps: Train staff and configure mail systems to warn/block risky sends. Use DLP tools to scan and alert on emails which contain potentially sensitive data being sent to external or untrusted recipients.
- Provide safe communication channels: If you don’t, there is a risk that staff will use WhatsApp/Dropbox anyway.
- Test new systems properly: Don’t assume redaction/encryption features work – prove it.
- Clarify accountability: Who owns data security in your org? Is it clear?
- Build a culture of data safety: Awareness training and good habits are just as important as technology.
At Systal, we work with companies to turn these lessons into practice. From security strategy and policy design, to configuring Microsoft 365 and other security solutions for safer data handling, to 24/7 SOC monitoring and incident response. We also run awareness training and culture programs, because people are your first line of defence.
Final Thoughts
The hardest part isn’t buying the right tech – it’s getting governance, culture, and accountability right. As the report itself shows, one missed BCC or hidden spreadsheet tab can undo millions in investment and years of trust.