Why Cyber Essentials isn’t enough
A Cyber Essentials certification is a significant first step in protecting your business against cyberattacks. By annually renewing your…
Oliver Pinson-Roxburgh
CEO and Co-Founder
2nd March 2022
Cybersecurity is one of the biggest challenges public sector organization face today. It’s estimated that 40% of the 777 threats managed by the NCSC (National Cyber Security Centre) between September 2020 and August 2021, were aimed at the public sector. Public sector organization are an attractive target for hackers due to the amount of valuable personal data that is held. With remote and hybrid working becoming the norm as a result of the COVID-19 pandemic, employees have become more exposed to cyberattacks due to IT teams having reduced visibility of home networks and employees accessing data from personal devices.
So, what are the challenges that lie ahead for public sector organization and how they manage their cybersecurity in 2022? Furthermore, how can these organization place budgets accordingly to ensure public data and infrastructures are adequately managed and protected? This blog will highlight the cybersecurity risks the public sector faces, explore solutions to these threats and help organization budget accordingly for the year ahead.
The government continues to build strong cybersecurity defenses across the public sector to secure services and data. However, challenges persist in achieving even baseline technical standards to meet the Minimum Cyber Security Standard (MCSS). This is a security standard public sector organization need to work towards to achieve basic cybersecurity resilience.
Public sector organization have many entry points for hackers to exploit. Phishing, malware, denial of service (DoS) and ransomware are amongst the largest common threats these organization face daily. For example, the Education Annex of the Cyber Security Breaches Survey 2021 found 26% of colleges faced data breaches or cyberattacks on a weekly basis. The material outcomes of these attacks resulted in compromised user accounts, loss of control (denial of service), and loss of data and money due to ransomware. Outdated operating systems and technology across healthcare and education also poses a great risk to the public sector as hackers actively exploit known vulnerabilities. So, why do these risks exist and what has prevented public sector organization from addressing these threats?
Limited cybersecurity knowledge: Employees who aren’t aware of cybersecurity risks leave public sector organization vulnerable to attacks. For example, weak passwords can lead to data breaches, while limited knowledge of phishing scams can lead to employees revealing sensitive data to hackers. Remote working has additional risks too, such as employees using unsecured networks (free Wi-Fi in public places) or storing unencrypted sensitive data on USBs.
Insufficient funding: With the public sector typically underfunded and lacking resources, organization can expect to be ill-equipped to deal with potentially devastating data breaches and cyberattacks. Lack of funding prevents organization from addressing their security risks and investing in tools, such as Security Information Event Management (SIEM), to proactively monitor and investigate cyber threats. Insufficient funding is problematic for organization as in-house IT teams lacking cybersecurity knowledge and skills will not be able to provide effective remediation against attacks.
Skills shortage: The public sector struggles to compete with the private sector on recruiting cybersecurity talent. In 2021, the global shortage of cybersecurity skilled workers fell from 3.2 million to 2.72 million, with the shortage increasing by more than third in the UK in just a year. A lack of resources, due to the private sector offering higher salaries, will have an impact on the security posture of public sector organization as they struggle to compete for the best personnel in the field.
Patching and legacy IT: £2.3 billion of all IT government funding is allocated to patching. However, there remains a reliance on legacy systems which can no longer be patched (the Police National Compute (PNC) has been in use since 1974). This leaves organization extremely vulnerable and at serious risk of suffering cyberattacks.
Data breaches will remain a persistent threat to organization in the public sector due to the rich quantity of public data organization hold. In fact, of the 54% of all data breach fines issued by the ICO, local councils were responsible for the majority. For example, in 2020, former Reablement Officer for Walsall Council was prosecuted and fined for accessing and unlawfully obtaining unauthorized personal data. There was also a ransomware attack on Hackney Council which led to documents being leaked on the dark web, and a separate malware attack on Gloucestershire City Council.
These examples emphasise the inefficiency of existing security measures and a lack of development in security strategies to combat cyber threats. Until organization have measures in place to monitor, manage and mitigate risks to their services and public data, cyberattacks against public sector organization show no signs of abating. Therefore, it is imperative that cybersecurity remains as an integral part of a public sector organization’s annual budget.
Let’s look at funding because without it, strong cybersecurity measures cannot be properly procured and implemented to protect the large amounts of public data and maintain public trust. In the government’s 2021 Spending Review and Autumn Budget, it was proposed that over £2.6 billion was being invested in cybersecurity and legacy IT across the 2021 period. £37.8 million of the budget was invested in local authorities to help improve their cyber resilience, protecting vital services and data. For example, the RPA Pilot (Risk Protection Arrangement) was developed by the Department for Education (DfE) as a free 1-year pilot to establish a school-specific package of the Cyber Essentials certification. This will help schools assess their cybersecurity and bring the education sector closer to meeting minimum cybersecurity standards.
With government spending available and threats evolving, it opens the doors for organization to invest in their cybersecurity. Adopting cloud services and SaaS solutions is effective because they are scalable to an organization's growth, cost-effective, and beneficial to improving an organization’s security posture. Costs are significantly reduced as SaaS platforms offer ‘out-of-the-box’ solutions, saving public sector organization time and valuable resources by not building bespoke solutions. Organization can be assured data is secure due to real-time backups which minimizes data loss, and security updates and patching are routinely applied by SaaS providers, taking the pressure off in-house IT teams.
However, it’s important to understand that a SaaS platform alone will not prevent a cyberattack. Therefore, public sector organizations should assess and prioritize the following areas to strengthen their cyber resilience.
Organisations must define where their cybersecurity priorities lie. Understanding the security priorities through a risk assessment will help align budgets with business goals for the year ahead. You need to consider the human element and expertise behind the tools that are being invested in, such as SIEM.
Organisations also need to consider how effective a particular platform will be in analyzing vulnerabilities and consequently following procedures to monitor, manage and prevent cyber threats. However, throwing a blanket budget over your cybersecurity may result in key vulnerable areas being overlooked. Budgeting towards the following five key areas will help bring public sector organizations closer to improving their cyber resilience and protecting public data:
Penetration tests are an important part of any good cybersecurity strategy and can identify where an organization is most vulnerable to a cyber attack. Penetration testers simulate real-world attacks across infrastructure, web applications, cloud environments and networks, searching for vulnerabilities that a hacker could exploit. Conducting regular penetration tests will help to demonstrate that public sector organizations take their cybersecurity seriously, protect against potential cyberattacks and enable them to achieve compliance.
VA scans are an automated process that scans systems and applications for weaknesses and can help public sector organizations assess their security posture. By identifying areas most at risk of a security breach, vulnerability scans give public sector organizations a greater chance to fix issues before an attack. VA scans should be run regularly to identify areas for remediation to ensure public sector organizations are proactive against the latest threats and keep public data secure.
SIEM solutions are powerful cybersecurity tools that have previously been out of reach for public sector organizations due to their cost and complexity. A managed SIEM is equipped to consolidate large amounts of data from multiple sources and can detect cyberattacks early to provide 24/7 monitoring and threat detection, incident response and comprehensive compliance reporting. By proactively monitoring data from networks to identify suspicious and malicious activity, a managed SIEM solution will ensure public sector organizations continue to operate with greater peace of mind. With government spending now available and managed SIEM tools more affordable, investing in a managed SIEM solution will greatly benefit and support the public sector to strengthen its cyber resilience and ensure public data is secure.
Using an appropriate endpoint protection solution should be a core component of any organizations’ security strategy. This will ensure all devices are protected from threats such as malware and allow security vulnerabilities to be identified and remediated quickly. For example, endpoint protection delivers real-time scanning and can prevent data theft by providing the ability to lock down devices from reading/writing to external USB devices.
Cybersecurity training is key to improving public sector cyber resilience and employee awareness of the security implications of their day-to-day actions. Empowering the workforce by enhancing their awareness of common cyber threats to organizations and public data, is a cost-effective and powerful strategy to combating cyber threats.
Public sector organizations should also be looking to secure their cloud infrastructure. Additional security measures are needed, such as stricter access controls to give only authorized personnel access to data and applications within the cloud. Limiting personal devices from accessing the cloud and enforcing stronger authentication requirements, such as multi-factor authentication, will strengthen an organization’s security posture and help to minimize the risk of a data breach.
Shifting to the cloud has greatly benefited public sector organizations like the NHS. It has meant better scalability (beneficial for data storage capacity), improved workflows and tools to support staff. By consolidating its IT services through cloud infrastructure, the NHS has reduced the costs of patching obsolete software and hardware, money that can be directed to improving technology, patient access to care, and strengthening the workforce. With the NHS adopting Windows 10 and Microsoft 365, it has opened the doors for more public sector organizations to embrace the digital transformation and shift to cloud and SaaS platforms.
The Microsoft and NHS deal (N365 agreement) gives over 1.2 million staff across 450 NHS organizations access to Microsoft 365. The benefits of the N365 agreement include better collaboration and communication between staff, evergreen licensing to ensure software and applications stay up to date and provide stronger baseline security. Working to a Good, Best, Better framework, which sets out security controls that organizations should meet according to their desired security posture, will help the NHS protect their networks and data more effectively. The NHS and Microsoft partnership shows the public sector placing their trust in cloud and has given them a much-needed push towards its technology, something which many other public sector organizations can now follow.
It’s clear the public sector is ready for cloud technology and SaaS platforms, as demonstrated by the NHS. By investing in a modern cybersecurity strategy and the appropriate cloud infrastructure, vital resources such as time, personnel and money can be saved while protecting the organization from malicious threats and data breaches.
Here are some key takeaways that we’d recommend for public sector organizations:
Understand your current security posture and key areas where budgets can be applied to help secure business and public data from hackers.
Employees are your first line of defense. Strengthening their knowledge of common cyberattacks is crucial to protecting your organization from internal and external threats.
An outsourced service like a managed SIEM solution does not mean completely outsourcing your security. Organizations still need to be aware that the security of public data is still their responsibility, and they must follow best security practices and remain compliant to protect their network and data.
Choosing the right SaaS vendor to meet your cybersecurity needs will determine how much value you receive from their services. An all-in-one platform which covers key cybersecurity elements such as a managed SIEM, penetration testing, endpoint protection, vulnerability scanning and staff awareness training will help businesses grow, improve workflows and save costs.
Oliver Pinson-Roxburgh
CEO and Co-Founder
Share this article
A Cyber Essentials certification is a significant first step in protecting your business against cyberattacks. By annually renewing your…
For a lot of companies, ‘getting compliant’ with something in cyber security or data protection usually means people’s eyes roll…
First launched in 2014, the Government-backed Cyber Essentials certification scheme has been a key security tool for businesses…
As an IT manager, you’ll know that cybersecurity is a specialist subject with its own skillset, certifications, and technologies…
Get actionable cyber security advice and insights straight to your inbox.