Cyber security is a high-profile issue for UK public sector bodies, as recent news shows. Iain Shearman, Managing Director of KCOM’s National Network Services, looks at why the public sector needs to adopt security by design
It seems that nearly every week there’s some news about how UK public sector bodies are facing unprecedented levels of cyber security threats. Last month, for example, the Metropolitan Police suffered an embarrassing cyber security breach when hackers gained access to its press bureau and Twitter account. The UK Government also faced stern criticism recently from MPs on the Science and Technology Committee over what was described as an increased risk of cyber attacks due to skills shortages and outdated IT systems.
These examples show that as public sector organisations are rushing to adopt new technologies as part of their digital transformation, cyber security considerations can lag behind. So how can public sector bodies avoid these costly and damaging hacks in future? The answer lies in taking a cyber security by design approach.
What does ‘cyber security by design’ mean?
Cyber security by design is about moving from a passive to a proactive approach to security. Ultimately, there is no universal approach to cyber security for public sector bodies, so each organisation needs to understand the unique intricacies of their own network then ‘design in’ tailored defences to suit. In practice, this means building in vigorous cyber security measures whenever a new technology (e.g. cloud-based storage platforms, 5G, SDN, etc) is introduced.
The value of ‘cyber security by design’ and organisational buy-in
When it comes to cybersecurity, humans are the weakest links in any organisation’s defences against attacks. Put simply, computers will do as we programme them to. But humans don’t always do what they are told to do to ensure they are not weakening their organisation’s cyber defences. This makes it crucial to gain buy-in from staff throughout the entire organisation. Research shows that human error is the cause of nearly one in five data breaches. And while nearly three-quarters of attacks are carried out from outside an organisation, more than a quarter involve insiders.
Thus a proactive cyber security workplace culture is the bedrock of an effective cyber security programme. It is essential to embed security values into an organisation’s culture, and for action to speak louder than words. An engaged workforce is more likely to feel accountable and take responsibility for security issues. This is a key tactic in mitigating security threats.
What action you should take to stay secure?
The best steps for public sector bodies to take in implementing a cyber security by design approach will depend on their network and the specific threats faced. But network security measures don’t have to be difficult to manage. For example, unified threat management (UTM) gives public sector bodies complete protection against a host of incoming threats. This means there’s no need to implement different solutions for different threats.
Also, as it’s impossible to prevent hackers getting into a system, organising data using encryption is the best way to keep sensitive or private files safe. In short, every public sector body should make its network as difficult to navigate as possible, acknowledging that it may be infiltrated. Creating a maze that’s nearly impossible to navigate through distracts and confuses potential hackers and creates a challenging and time-consuming process. This stops hackers in their tracks.
Cyber security is a journey, not a destination
The most important principle to follow is that cyber security is an ongoing process. It’s a journey, not a destination you reach then put your feet up and relax. As new technologies develop, so will the accompanying cyber security threats.
Unless they view cyber security as an ongoing process public sector bodies risk being outsmarted at some point by hackers, who are continually searching for new ways to overcome new security measures. Complacency is lethal. That’s why there must be a constant awareness of cyber security threats across the whole organisation and why public sector bodies must to commit to regular training and development for staff across all areas of the organisation (not just CTOs and CIOs) to improve confidence and performance.
Ultimately, every UK public sector organisation in the UK must take a cyber security by design approach to avoid humiliating and costly security breaches. And, once you’ve built cyber security into your network and embedded it into your organisation’s culture, don’t lose focus on your cyber security. The hackers won’t.