Experts at the World Economic Forum classified the threat of a cyber-attack as one of the top three most probable global risks of 2018, along with extreme weather events and natural disasters.
For the public sector, the cyber-attack threat is even more acute. Malignant actors have targeted the state and political organisations with forms of sabotage since government has existed. But the difference is that hacking into a government body by digital means can be done remotely by an unidentified actor, and can happen remarkably quickly.
And government bodies make appealing targets. They hold a variety of sensitive information that can be used by others for financial or other gain – whether that’s medical data, criminal records, or confidential civil service plans.
The UK public sector is fast embracing digital technology. In our own research, we found that 76.7% of public sector organisations said that they were undergoing digital transformation – the highest percentage of any sector we surveyed. This is largely a positive thing, making sure government works more efficiently and delivers better services.
However, taking on more digital technology can leave you more vulnerable to hackers.
Almost half of civil servants say that cyber-security is the biggest operational challenge facing their organisation.
How can government organisations embrace digital transformation while ensuring that their systems – and, critically, citizens’ data – are kept safe?
Going back to fundamentals
With the public sector fast adopting new ways of doing things in IT, it’s important to maintain some of the fundamentals of security. In 2017, the headline-grabbing Petya and Wannacry outbreaks exploited a vulnerability to software propagation that was known months before the attack.
What could have prevented the vulnerability? Patching. Patches are simply fixes and/or updates that address vulnerabilities in programmes or software. Innocuous enough, but clearly one that is too often overlooked.
It’s easy repeat the mantra “patch whenever necessary”, but business reality means that sometimes this isn’t the right move, depending on the context. For example, you might choose not to patch a critical vulnerability in a financial system if it’s the day before the end of the financial year, for fear of breaking the system.
One of the ways for public sector organisations to mitigate this risk is through Cyber Threat Intelligence (CTI). It can function as an early warning mechanism, pointing security professionals towards the vulnerabilities which should be a patching priority.
CTI is often referred to as a threat feed. However, faced with the kind of savvy and aggressive attackers that go after public sector organisations, the system shouldn’t just express the severity of the vulnerability as a technical risk.
Given the vital work that public sector organisations do, it should also communicate this risk in financial, business, and indeed human terms.
At its core, effective CTI provides strategic direction that cuts through the complexity of patch management, indicating where attention is most needed. For example, a threat advisory that addresses a vulnerability early can protect an organisation months before hackers begin developing a ransomware variant to take advantage of that vulnerability.
Taking the battle to the front lines
Ensuring public sector cyber-security is about more than just throwing technology at the problem.
The number one way of compromising an organisation’s security, even today, is still a phishing email with a malware exploit sent directly to an employee. Cyber attackers have a keen understanding of human error and the kind of mistakes ordinary people can make when confronted with an official-looking email.
According to our recent research, only 51 per cent of public sector organisations are confident that their employees have the right skills to take advantage of new technology. It’s reasonable to assume that these same people will also not have the correct knowledge to ensure that they’re using these technologies in a secure way.
In fact, upskilling users is one of the most cost effective ways of reducing the probability of a human error that leads to a cyber-attack. For budget-conscious public sector organisations, it’s a good way to bolster the first line of defence. The generic, one-off IT training session isn’t enough –it needs to be adapted to how employees are using their technology and the kind of tools they use on a regular basis, as well as their seniority.
A confident public sector
The public sector touches almost every facet of life in the UK, from business to education to health. It has an admirable ambition to use digital technology to transform how government functions in this country, a goal which would deliver all kinds of gains to citizens and civil servants alike. It’s vital that public sector organisations know that they can embrace the future safely, without exposing themselves to malignant actors in cyberspace.
A two-pronged approach can help them tackle the risk. By ensuring that their employees understand the risks and use digital tools in a secure way, public sector organisations can ensure that they have a strong first line of defence. Investing in the latest and best of security technology and controls – whether that’s CTI or machine learning-fuelled monitoring – will be the first step in proactively identifying and managing threats instead of waiting for breaches to happen.
Latest posts by Paul McEvatt (see all)
- How the public sector is keeping UK citizens safe from cyber-attack - July 23, 2018
- The Year Ahead: Five Key Thoughts on Cyber Security In 2018 - January 5, 2018
- Petya, Medoc and the delivery of malicious software - June 30, 2017