Michael Paye, CTO, Netwrix, discusses how public sector organisations can protect sensitive data in the era of virtual communications
The public sector often faces higher expectations to deliver quickly, at a lower cost, and to a better standard than demanded from private businesses. Unfortunately, due to constrained budgets and legacy processes, public sector organisations often don’t have the right IT tools or employee processes in place to ensure the smooth and speedy delivery of services required.
Furthermore, with many public services revolved around the care of vulnerable individuals, gaps in processes can occur if the employed processes or systems are time-consuming or cumbersome and would lead to a detriment in the resource allocation to the cared-for individuals. This often leads to holes in cyber security defences leaving the public sector open to increasingly sophisticated attacks. The person being cared for is, of course, the priority for resource allocation and so systems and processes should be constructed to be as simple and efficient to follow as possible.
Modernising collaboration
The recent global pandemic highlighted more than ever the need for the modernisation of many public sector processes. Netwrix research shows that since the pandemic hit, government bodies interested in digital transformation have doubled from about a quarter (26%) pre-pandemic to over half (56%) currently, which is a good sign.
There has been no area more demanding of a review of IT infrastructure than the need for remote working. With the sudden, almost overnight, requirement for employees to work from home, the security of collaboration tools have been one of the technology applications that have been placed under the spotlight.
Recently, the NHS migration of all communications to Microsoft Teams was widely applauded for strengthening its cyber defences. When the pandemic initially forced the healthcare sector to urgently look for means of communication to continue supporting medical staff on the front lines, most NHS organisations, unfortunately, did not choose any platforms but relied on the employees to find ways to stay in touch and share data using free or personal tools. Historically, a lack of adequate investment in technology has left the NHS in a vulnerable position. Some two years after a ransomware attack in 2017 the NHS was still found to be running Windows XP on over 2000 machines, which on its own is a significant vulnerability. So the NHS targeting modern cloud-based platforms to further collaboration can be seen a positive move that will help them ensure that data is secured.
New processes mean new data
We must acknowledge, however, that there is no silver bullet technology that public sector organisations can acquire to completely eliminate cyber threats. The increased use of cloud collaboration tools leads to new questions around data privacy and security that did not exist before. For example, the pandemic will have forced healthcare organisations from various different countries to have urgently connected online in real-time, who may have not been secure when discussing confidential patient data, and there would not have been the time nor resources dedicated to ensuring that data was stored and dealt with correctly. Even if that data was deleted, it could very well be sat in backup on SharePoint or assigned to one of the two stages of Recycle Bin. Securing data and ensuring privacy compliance at that point becomes increasingly tricky.
Take educational institutions as a further example. Our research shows that even before COVID-19 hit, only 4% of educational institutions have implemented a data retention programme, while 57% of educational organisations rarely or never purge their unneeded data. This can be due to the fact that many educational organisations have small IT teams who have to manage hundreds of thousands of user accounts within their schools, and they simply do not have time to do fair cleansing as they wear multiple hats. Yet, educational organisations operate vast amounts of sensitive data, such as personally identifiable information of students, financial information, and even health information – and this only grew with the majority of educational services around the globe going online. At the same time, failure to delete such data or to eliminate its overexposure in a timely manner might lead to data breaches and hefty consequences in terms of both money and reputation.
Arm employees with the right tools
A large part of cyber risk involves a human factor – that is, a single error can lead to a valuable data leak. Any public sector teams who have had to suddenly switch to virtual communications on collaboration tools like Microsoft Teams must not get complacent and forget that a thorough cyber security strategy is a combination of the right technologies, risk management processes and a security-centric culture rather than any piece of technology alone.
To maintain cyber defences with collaboration tools becoming increasingly necessary for day-to-day operations, public sector organisations must constantly review and monitor the type of content being shared and the permissions associated with that content. Staff must also be proactively trained on the appropriate ways to use and share information with these tools, an endeavour that should be driven by both IT and HR teams – and where possible pulling in a third party team to ensure the right kinds of examples are being taught, and in order to truly get the buy-in and understanding from employees. The good news is that our research found 38% of government organisations now plan to prioritise IT staff education. Pre-pandemic, it was only a priority for 20% of respondents.
The public sector must also consider legislation like GDPR and how that must impact the day-to-day usage of data. With various political changes taking place to the UK landscape, it is important that government bodies ensure to future-proof against whatever new domestic or international regulations replace GDPR or other policies in place in the future.
Ultimately, the pandemic has forced many government bodies and public sector organisations to examine whether their technology infrastructures are fit for purpose in our new normal, with enabling communication and collaboration between staff across the country – and cross-country – being a priority. In order to ensure that the rising amount of data flying around stays protected, organisations must prioritise forming healthy data habits, educating their staff, and having the right processes and technologies in place to prepare the country’s services for whatever is to come.