Over the past year, the public sector has faced more pressures than ever before to deliver services quickly, cost-effectively and to a new standard. The strain this placed on its infrastructure has not gone unnoticed, writes Michael Paye, CTO, at the data security company Netwrix.
The UK’s public sector has been plagued with data-related blunders – 16,000 COVID-19 test results went unreported, London’s Hackney Council fell victim to a ransomware attack, and education institutions were under so much strain due to ransomware attacks that the NCSC issued a warning alert to the UK’s schools and universities – just to name a few. Most recently, MI5 even issued a warning that over 10,000 government and public sector workers targeted by hostile states on social media.
For the UK in particular, the timing of COVID19 and Brexit has had a compound effect on the government’s resources and priorities. COVID has certainly taught everyone that cybersecurity is fundamental to future ways of working and organisations’ infrastructure, however, with speed of delivery of many services prioritised over quality, holes in cyber security defences has left the public sector open to increasingly sophisticated attacks amidst shrinking resources and a growing cyber-attack surface. Many government teams have suddenly switched to virtual communications on collaboration tools like Microsoft Teams, and this increased use of cloud collaboration tools over the pandemic has led to new questions around data privacy and security that did not exist before.
For the public sector, the consequences of breaches are vast – financially, reputationally and life-impacting for citizens. The 2021 Netwrix Cloud Data Security Report found that in 2020, following a cyber security breach 28pc of government organisations experienced unplanned expenses to fix security gaps – a blow to already limited resources – while 11pc even resulted in a change of senior leadership following a breach.
The research also showed that data leaks is a particular thorn in the side of public sector organisations, which is an issue given how many public services revolve around the care of vulnerable individuals. While the most common cyber security incidents experienced by government agencies were phishing (reported by 39pc of organisations), accidental data leakage (24pc) and targeted attacks on the infrastructure (22pc), data leakage was the hardest of the three to detect – 27pc of public sector organisations required days to flag it. Resolving data leakage also took longer than other incidents, requiring days (32pc), weeks (11pc) or months (23pc).
It’s concerning that many breaches appear to have been avoidable – many are due to human mistakes, that is, a single error can lead to a valuable data leak. The research shows that most government agencies attribute their cloud security challenges to lack of IT/security staff (65pc) and employee negligence (59pc), making MI5’s recent warning on public sector employees being particular targets for bad actors particularly concerning. It’s also worrying with the majority of services in 2020 going digital, public sector organisations allocated the lowest amount of budget (14pc) of their cybersecurity budgets to cloud security out of any sector – despite holding the most valuable data of all of the nation’s population.
The path to protection
There is unfortunately no silver bullet technology that public sector organisations can acquire to completely eliminate cyber threats. In their limited resource allocation, government agencies must not forget that a thorough cyber security strategy is a combination of the right technologies, risk management processes and a security-centric culture, rather relying on any single piece of technology alone as a convenient temporary plaster.
To maintain cyber defences with lower budgets, collaboration tools becoming increasingly popular, and human error becoming more of a risk, public sector organisations must constantly review and monitor the type of content being shared and the permissions associated with that content. It must be said that given many public services do revolve around the care of vulnerable individuals, gaps in processes can occur if the processes or systems are time consuming or cumbersome. The person being cared for is of course the priority for resource allocation and therefore systems and processes should be constructed to be as simple and efficient to follow as possible.
It’s also key that staff must also be proactively trained on the appropriate ways to use and share information with any new tools. This budget – and responsibility – should be shared by both IT and HR teams. On a positive note, another survey also found that 38pc of government organisations now plan to prioritise IT staff education compared to only 20pc pre-pandemic.
The UK’s government bodies must also be aware that with various political changes such as Brexit, it is important to future-proof cyber defences against whatever new domestic or international regulations replace GDPR or other similar policies in place. Ultimately, with more and more processes going digital, to ensure that rapidly growing amounts of sensitive data remains protected, the public sector must prioritise establishing healthy data habits and educating their staff, with the right processes and technologies serving as a foundation to protect the country’s services for whatever uncertainty is to come.
