Kieran O’Driscoll, Public Sector Business Lead at CyberArk discusses the challenges faced by public sector firms when it comes to balancing cost-effective cyber security with the need to secure the personal details of millions of UK citizens
News of cyber attacks and data breaches have become a regular occurrence in the media, providing a constant reminder of the need for organisations to have a robust cyber security strategy. As it’s the private sector that mostly grabs the headlines, it is often overlooked that the public sector is also increasingly falling victim to similar incidents. Local authorities and councils in the UK are in fact hit by an average of 800 cyber attacks every hour, with more than 263 million incidents noted in the first six months of 2019 alone, according to a Freedom of Information request earlier this year.
As a result, public sector organisations – already facing stretched budgets – often face hefty fines in the event of failing to secure their systems and data. Under the terms of GDPR, non-compliance can cost businesses up to 4% of their global annual turnover – or up to 20 million Euros. Such punishment for a public sector organisation could be devastating for the provision of public services.
Being unable to comply with GDPR can mean more than just a fine, of course. It can indicate that sensitive citizen data – such as medical records – or critical systems are vulnerable to exploitation or takeover. This not only threatens the credibility and financial viability of public sector organisations but in the worst cases puts the health and wellbeing of citizens at risk.
Added to this, cyber security professionals working in the public sector paint a bleak picture of their current cyber security strategy. According to a recent CyberArk study, almost half believe attackers will get into their organisation’s network every time they try, while two-thirds admit their organisation is susceptible to a carefully crafted attack. Compounding this, most continue to exhibit worrying security and compliance practices: Our study indicated that globally, more than a third (36%) would be more willing to pay fines for non-compliance than actually change their cyber security strategy after a successful attack.
These statistics make for alarming reading when we consider how much sensitive data is held by public sector organisations. The NHS alone holds the medical histories of millions of UK patients, while local councils hold intimate personal data on file including the names, addresses, bank account details and even religious beliefs of members of the public. The WannaCry cyber attack, where IT systems across 16 NHS sites were crippled by a sudden inability to access core functions, serves as a stark reminder of how devastating a widespread cyber attack can be.
Decluttering the current security landscape
Currently, cyber security measures in the public sector largely consists firewall-based perimeter security. On top of this, public sector organisations continue to rely on VPNs as their de facto solution to secure access to sensitive information. They also tend to layer new enterprise applications and accompanying security measures over existing legacy systems, which leads to a patchwork of technology systems and security practices being created and, in turn, security holes that can be compromised by attackers. Although updating record-keeping, undertaking audits and implementing basic controls can mitigate this, public sector organisations need a more holistic approach to managing their cyber security and reducing the risk of a successful attack
Thankfully it’s not all doom-and-gloom, and the public sector is starting to take positive steps to address cyber security gaps. Many have begun assessing the vulnerabilities in their own systems as the first step towards adjusting their cyber defence policies. Our study found that almost half of public sector organisations (41%) believe their biggest threat comes from inside the business, showing that such exercises can be valuable in uncovering loopholes created by employees. Often these are not intentional, but if poor password management strategies are implemented, employees’ accounts can become extremely vulnerable to hackers. Two other common human errors that create vulnerabilities include the corruption or modification of critical data due to human error, or the copying of data to unsecured devices. Regardless of their cause, once these issues are identified public sector organisations must act quickly to reduce their prevalence and better protect their systems and data.
Protecting what matters most
To safeguard highly sensitive information against internal and external threats, public sector organisations must closely examine how they monitor and control privileged accounts (those with sensitive access to critical networks, systems and applications). It is also imperative they backup all mission-critical data and files that may be targeted by hackers. Consistently patching endpoints and servers can dramatically reduce the attack surface the hackers can exploit.
Employee education is also essential to better defend public sector organisations against attackers. This is because attackers often begin their malware attacks through targeted phishing campaigns based on social engineering techniques. In fact, according to research by the Ponemon Institute, 57% of cyber breaches in 2019 were a result of phishing. Hence, it is essential for public sector firms to educate their employees on the various kinds of phishing attacks that can take place, and how to avoid falling victim to them. Removing local administrator rights, for example, creates a firm foundation for effective endpoint security. By implementing a combination of least privilege and application control policies on endpoints and servers as part of a larger zero-trust approach, public sector firms can mitigate the risk of malware spreading from its initial infection point and escalating privilege following successful phishing attacks.
As the frequency and complexity of cyber attacks increases exponentially, robust cyber security not only helps avoid monetary and reputational losses but also reduces the risk of sensitive data falling into the wrong hands. Security policies must shift from being reactive to being proactive, keeping in mind the need to incorporate new technologies whilst overcoming the growing vulnerabilities in the networks, to help deliver best in class services.