Nick Denning, CEO of IT consultancy Diegesis and veteran of multiple successful digital transformation projects, outlines the strategies which organisations can take to protect against public sector cyberattacks and mitigate the effects if cyber criminals do break through
As the threat of public sector cyberattacks continues to grow and the impacts become ever more devastating, here are the strategies that organisations can take to protect against attacks and mitigate the effects if cyber criminals do break through.
Successful public sector cyberattacks are too common
Successful public sector cyberattacks occur regularly and, in too many cases, are caused by old and vulnerable technologies. IT managers’ warnings were not heeded, and resources for necessary upgrades were not found.
A recent ICO notification of a £6 million fine resulted from a vendor not enforcing two-factor authentication (TFA). Public sector organisations should follow instructions consistent with commercial best practice. Managers in the public sector need to demand the resources to secure their organisations. Here, we explore how best to make the case.
Cyber security risk: Where do you start?
Cannot measure? Cannot monitor! Monitoring can establish the level of risk currently faced to justify an investment business case. Mitigation activity and contingency planning reduce the probability and impact of attack. Resulting changes to threats are then read by monitoring tools.
Existing plans for capacity management, business continuity, disaster recovery and data integration, typically have defined strategies, policies and procedures, but they may need review.
Time spent on reconnaissance is seldom wasted. When developing your cyber security defences and responses, it is good to begin by taking inventory of your hardware, software, and information assets. Process-driven organisations are likely to have defined workflows. Exercise incident management plans by simulating a range of scenarios and recovery strategies to flag weaknesses and a lack of depth of defence.
Your plans must be a cost-effective and a realistic response to the level of threat. You can build a knowledge base of products and costs and when to use each one. Identifying best practice, particularly in collaboration with similar organisations, and understanding how other organisations protect themselves should help you avoid excessive and unaffordable costs. It is still about people. You should engage them to practise recovery scenarios and incident response, to ensure that any investments deliver the protection required.
When you have enough information, then perform a cyber security risk assessment exercise and run vulnerability assessment tools early to establish vulnerabilities and urgent actions.
Cyber security: Where to find advice and guidance
Luckily, there are many useful bodies and websites where public sector organisations can obtain practical advice and guidance on cyber security, including:
The UK’s National Cyber Security Centre (NCSC) has developed Cyber Essentials (CE) policy guidance to help all organisations protect themselves against common cyberattacks. Cyber Essentials aims to provide a structured framework and a continuous process that implements the minimum standards to deflect most cyberattacks.
IASME (Information Assurance for SMEs) is a cyber security certification body which works with a network of more than 900 cyber security experts to help organisations improve and demonstrate their cyber security. IASME is aligned with the UK Government’s 10 Steps to Cyber Security and embraces CE, adding further controls around people and processes to deliver a more robust cyber posture. It also covers General Data Protection Regulation (GDPR) requirements. It is aligned to the much more complex and rigorous ISO27001, and is an excellent place to start.
The Information Commissioner’s Office (ICO) provides valuable advice on data protection, and details of when data breaches, which may be the result of cyberattacks, must be reported to the relevant authorities. This information is especially important as the laws across the European Union regarding the resilience of supply chains rapidly evolve over the next few months through the introduction of NIS2 and DORA regulations country by country.
The Government Digital Service (GDS), part of the Department for Science, Innovation and Technology, was established to “make digital government simpler, clearer and faster for everyone”. GDS aims to design and protect the user experience of digital government for all. GOV.UK Verify provides government organisations and services a way to prove citizens are who they say they are, a vital element of cyber security.
Cyber security: Understand the type and size of the problem
Once you have assembled your knowledge bank, it is important to use the relevant information to understand the actual size of your organisation’s cyber security challenge. Consider all the potential issues discussed in the internal and external knowledge sources described above and identify whether these apply within your organisation and to what extent.
For example, a particular piece of legislation may require immediate compliance, such as the protection of citizens’ personal data, service users, or employees’ personal data. Recent data protection issues such as at the Police Service of Northern Ireland, where employee safety was compromised, and NHS Dumfries and Galloway, where ransomware criminals stole and dumped around three terabytes of data on the dark web, act as warnings to organisations handling large amounts of sensitive data.
Alternatively, your organisation’s biggest area of vulnerability might come from your supply chain. Many services have been outsourced over the years, and there are several recent examples of a cyber security issue at a supplier leading to bigger problems for their customers. For instance, in 2023, the Met Police had data exposed when cyber criminals breached the IT systems of a contractor responsible for producing warrant cards and staff passes.
Cyber security strategy: Think big, act fast, do small
As you build your cyber security strategy, it is important to think about the organisation as a whole but then rapidly move to break it down into organisational components. Identify where the worst-case scenarios lie and focus on seeing if you can safeguard those areas first. Next, look at how you can implement a framework that enables you to monitor the situation you are actually in, on an ongoing basis.
Measure, manage, and monitor. You may discover that your situation is not as bad as you thought. Throwing money at a problem may not deliver the outcome. Consider investing wisely to protect the areas of most vulnerability and/or those where attacks would have the biggest impact. If budgets are tight, don’t just give up; start small and get funds signed off incrementally so there is always forward momentum.
Cyber security threat solutions: Know when to bring in outside help
Understanding both the internal workings of your organisation AND changing cyber security threat solutions requires an exceptional skill set and experience. It may be prudent to call on knowledge from external sources to augment or speed up your internal capabilities.
External resources experienced in planning secure infrastructures, practising incidents, and recovering from real ones can help explain the big picture and justify a cost-effective way forward. They may also provide your organisation with a fresh perspective on threats and have the ability to read and communicate the key problems. An external person often brings with them the authority to speak out and tell uncomfortable truths, which an employee worried about their long- term career path may shy away from. You may also need help managing the projects that result from a review of your cyber security strategy.
Diegesis has expertise from numerous digital transformation projects that examine how legacy systems function and how they can be evolved to embrace new technologies. We understand the principles of “secure by design,” how systems work together, and where vulnerabilities may exist. Our sister company, Policy Monitor, offers solutions that will ensure that people in your organisation remain aware of cyber threats and know what to do about them.
Visit www.diegesis.co.uk and www.policymonitor.co.uk for more information.
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International.