Cybersecurity in Public Sector Budgeting

Cybersecurity risks to public sector organization

The government continues to build strong cybersecurity defenses across the public sector to secure services and data. However, challenges persist in achieving even baseline technical standards to meet the Minimum Cyber Security Standard (MCSS). This is a security standard public sector organization need to work towards to achieve basic cybersecurity resilience.

Public sector organization have many entry points for hackers to exploit. Phishing, malware, denial of service (DoS) and ransomware are amongst the largest common threats these organization face daily. For example, the Education Annex of the Cyber Security Breaches Survey 2021 found 26% of colleges faced data breaches or cyberattacks on a weekly basis. The material outcomes of these attacks resulted in compromised user accounts, loss of control (denial of service), and loss of data and money due to ransomware. Outdated operating systems and technology across healthcare and education also poses a great risk to the public sector as hackers actively exploit known vulnerabilities. So, why do these risks exist and what has prevented public sector organization from addressing these threats?

Risks at a snapshot

• Limited cybersecurity knowledge: Employees who aren’t aware of cybersecurity risks leave public sector organization vulnerable to attacks. For example, weak passwords can lead to data breaches, while limited knowledge of phishing scams can lead to employees revealing sensitive data to hackers. Remote working has additional risks too, such as employees using unsecured networks (free Wi-Fi in public places) or storing unencrypted sensitive data on USBs.

• Insufficient funding: With the public sector typically underfunded and lacking resources, organization can expect to be ill-equipped to deal with potentially devastating data breaches and cyberattacks. Lack of funding prevents organization from addressing their security risks and investing in tools, such as Security Information Event Management (SIEM), to proactively monitor and investigate cyber threats. Insufficient funding is problematic for organization as in-house IT teams lacking cybersecurity knowledge and skills will not be able to provide effective remediation against attacks.

• Skills shortage: The public sector struggles to compete with the private sector on recruiting cybersecurity talent. In 2021, the global shortage of cybersecurity skilled workers fell from 3.2 million to 2.72 million, with the shortage increasing by more than third in the UK in just a year. A lack of resources, due to the private sector offering higher salaries, will have an impact on the security posture of public sector organization as they struggle to compete for the best personnel in the field.

• Patching and legacy IT: £2.3 billion of all IT government funding is allocated to patching. However, there remains a reliance on legacy systems which can no longer be patched (the Police National Compute (PNC) has been in use since 1974). This leaves organization extremely vulnerable and at serious risk of suffering cyberattacks.

Data breaches will remain a persistent threat to organization in the public sector due to the rich quantity of public data organization hold. In fact, of the 54% of all data breach fines issued by the ICO, local councils were responsible for the majority. For example, in 2020, former Reablement Officer for Walsall Council was prosecuted and fined for accessing and unlawfully obtaining unauthorized personal data. There was also a ransomware attack on Hackney Council which led to documents being leaked on the dark web, and a separate malware attack on Gloucestershire City Council.

These examples emphasise the inefficiency of existing security measures and a lack of development in security strategies to combat cyber threats. Until organization have measures in place to monitor, manage and mitigate risks to their services and public data, cyberattacks against public sector organization show no signs of abating. Therefore, it is imperative that cybersecurity remains as an integral part of a public sector organization’s annual budget.

What are the solutions?

Let’s look at funding because without it, strong cybersecurity measures cannot be properly procured and implemented to protect the large amounts of public data and maintain public trust. In the government’s 2021 Spending Review and Autumn Budget, it was proposed that over £2.6 billion was being invested in cybersecurity and legacy IT across the 2021 period. £37.8 million of the budget was invested in local authorities to help improve their cyber resilience, protecting vital services and data. For example, the RPA Pilot (Risk Protection Arrangement) was developed by the Department for Education (DfE) as a free 1-year pilot to establish a school-specific package of the Cyber Essentials certification. This will help schools assess their cybersecurity and bring the education sector closer to meeting minimum cybersecurity standards.

With government spending available and threats evolving, it opens the doors for organization to invest in their cybersecurity. Adopting cloud services and SaaS solutions is effective because they are scalable to an organization's growth, cost-effective, and beneficial to improving an organization’s security posture. Costs are significantly reduced as SaaS platforms offer ‘out-of-the-box’ solutions, saving public sector organization time and valuable resources by not building bespoke solutions. Organization can be assured data is secure due to real-time backups which minimizes data loss, and security updates and patching are routinely applied by SaaS providers, taking the pressure off in-house IT teams.

However, it’s important to understand that a SaaS platform alone will not prevent a cyberattack. Therefore, public sector organizations should assess and prioritize the following areas to strengthen their cyber resilience.

Cybersecurity priorities and budget breakdown

Organisations must define where their cybersecurity priorities lie. Understanding the security priorities through a risk assessment will help align budgets with business goals for the year ahead. You need to consider the human element and expertise behind the tools that are being invested in, such as SIEM.

Organisations also need to consider how effective a particular platform will be in analyzing vulnerabilities and consequently following procedures to monitor, manage and prevent cyber threats. However, throwing a blanket budget over your cybersecurity may result in key vulnerable areas being overlooked. Budgeting towards the following five key areas will help bring public sector organizations closer to improving their cyber resilience and protecting public data:

1. Penetration testing

   Penetration tests are an important part of any good cybersecurity strategy and can identify where an organization is most vulnerable to a cyber attack. Penetration testers simulate real-world attacks across infrastructure, web applications, cloud environments and networks, searching for vulnerabilities that a hacker could exploit. Conducting regular penetration tests will help to demonstrate that public sector organizations take their cybersecurity seriously, protect against potential cyberattacks and enable them to achieve compliance.

2. Vulnerability scanning

   VA scans are an automated process that scans systems and applications for weaknesses and can help public sector organizations assess their security posture. By identifying areas most at risk of a security breach, vulnerability scans give public sector organizations a greater chance to fix issues before an attack. VA scans should be run regularly to identify areas for remediation to ensure public sector organizations are proactive against the latest threats and keep public data secure.

3. Managed SIEM

   SIEM solutions are powerful cybersecurity tools that have previously been out of reach for public sector organizations due to their cost and complexity. A managed SIEM is equipped to consolidate large amounts of data from multiple sources and can detect cyberattacks early to provide 24/7 monitoring and threat detection, incident response and comprehensive compliance reporting. By proactively monitoring data from networks to identify suspicious and malicious activity, a managed SIEM solution will ensure public sector organizations continue to operate with greater peace of mind. With government spending now available and managed SIEM tools more affordable, investing in a managed SIEM solution will greatly benefit and support the public sector to strengthen its cyber resilience and ensure public data is secure.

4. Endpoint protection

   Using an appropriate endpoint protection solution should be a core component of any organizations’ security strategy. This will ensure all devices are protected from threats such as malware and allow security vulnerabilities to be identified and remediated quickly. For example, endpoint protection delivers real-time scanning and can prevent data theft by providing the ability to lock down devices from reading/writing to external USB devices.

5. Security awareness training

   Cybersecurity training is key to improving public sector cyber resilience and employee awareness of the security implications of their day-to-day actions. Empowering the workforce by enhancing their awareness of common cyber threats to organizations and public data, is a cost-effective and powerful strategy to combating cyber threats.

Public sector organizations should also be looking to secure their cloud infrastructure. Additional security measures are needed, such as stricter access controls to give only authorized personnel access to data and applications within the cloud. Limiting personal devices from accessing the cloud and enforcing stronger authentication requirements, such as multi-factor authentication, will strengthen an organization’s security posture and help to minimize the risk of a data breach.

Case study: Looking at the NHS

Shifting to the cloud has greatly benefited public sector organizations like the NHS. It has meant better scalability (beneficial for data storage capacity), improved workflows and tools to support staff. By consolidating its IT services through cloud infrastructure, the NHS has reduced the costs of patching obsolete software and hardware, money that can be directed to improving technology, patient access to care, and strengthening the workforce. With the NHS adopting Windows 10 and Microsoft 365, it has opened the doors for more public sector organizations to embrace the digital transformation and shift to cloud and SaaS platforms.

The Microsoft and NHS deal (N365 agreement) gives over 1.2 million staff across 450 NHS organizations access to Microsoft 365. The benefits of the N365 agreement include better collaboration and communication between staff, evergreen licensing to ensure software and applications stay up to date and provide stronger baseline security. Working to a Good, Best, Better framework, which sets out security controls that organizations should meet according to their desired security posture, will help the NHS protect their networks and data more effectively. The NHS and Microsoft partnership shows the public sector placing their trust in cloud and has given them a much-needed push towards its technology, something which many other public sector organizations can now follow.