Cyber Security in Public Sector Budgeting

Cyber Security risks to public sector organisation

The government continues to build strong cyber security defences across the public sector to secure services and data. However, challenges persist in achieving even baseline technical standards to meet the Minimum Cyber Security Standard (MCSS). This is a security standard public sector organisation need to work towards to achieve basic cyber security resilience.

Public sector organisation have many entry points for hackers to exploit. Phishing, malware, denial of service (DoS) and ransomware are amongst the largest common threats these organisation face daily. For example, the Education Annex of the Cyber Security Breaches Survey 2021 found 26% of colleges faced data breaches or cyber attacks on a weekly basis. The material outcomes of these attacks resulted in compromised user accounts, loss of control (denial of service), and loss of data and money due to ransomware. Outdated operating systems and technology across healthcare and education also poses a great risk to the public sector as hackers actively exploit known vulnerabilities. So, why do these risks exist and what has prevented public sector organisation from addressing these threats?

Risks at a snapshot

• Limited cyber security knowledge: Employees who aren’t aware of cyber security risks leave public sector organisation vulnerable to attacks. For example, weak passwords can lead to data breaches, while limited knowledge of phishing scams can lead to employees revealing sensitive data to hackers. Remote working has additional risks too, such as employees using unsecured networks (free Wi-Fi in public places) or storing unencrypted sensitive data on USBs.

• Insufficient funding: With the public sector typically underfunded and lacking resources, organisation can expect to be ill-equipped to deal with potentially devastating data breaches and cyber attacks. Lack of funding prevents organisation from addressing their security risks and investing in tools, such as Security Information Event Management (SIEM), to proactively monitor and investigate cyber threats. Insufficient funding is problematic for organisation as in-house IT teams lacking cyber security knowledge and skills will not be able to provide effective remediation against attacks.

• Skills shortage: The public sector struggles to compete with the private sector on recruiting cyber security talent. In 2021, the global shortage of cyber security skilled workers fell from 3.2 million to 2.72 million, with the shortage increasing by more than third in the UK in just a year. A lack of resources, due to the private sector offering higher salaries, will have an impact on the security posture of public sector organisation as they struggle to compete for the best personnel in the field.

• Patching and legacy IT: £2.3 billion of all IT government funding is allocated to patching. However, there remains a reliance on legacy systems which can no longer be patched (the Police National Compute (PNC) has been in use since 1974). This leaves organisation extremely vulnerable and at serious risk of suffering cyber attacks.

Data breaches will remain a persistent threat to organisation in the public sector due to the rich quantity of public data organisation hold. In fact, of the 54% of all data breach fines issued by the ICO, local councils were responsible for the majority. For example, in 2020, former Reablement Officer for Walsall Council was prosecuted and fined for accessing and unlawfully obtaining unauthorised personal data. There was also a ransomware attack on Hackney Council which led to documents being leaked on the dark web, and a separate malware attack on Gloucestershire City Council.

These examples emphasise the inefficiency of existing security measures and a lack of development in security strategies to combat cyber threats. Until organisation have measures in place to monitor, manage and mitigate risks to their services and public data, cyber attacks against public sector organisation show no signs of abating. Therefore, it is imperative that cyber security remains as an integral part of a public sector organisation’s annual budget.

What are the solutions?

Let’s look at funding because without it, strong cyber security measures cannot be properly procured and implemented to protect the large amounts of public data and maintain public trust. In the government’s 2021 Spending Review and Autumn Budget, it was proposed that over £2.6 billion was being invested in cyber security and legacy IT across the 2021 period. £37.8 million of the budget was invested in local authorities to help improve their cyber resilience, protecting vital services and data. For example, the RPA Pilot (Risk Protection Arrangement) was developed by the Department for Education (DfE) as a free 1-year pilot to establish a school-specific package of the Cyber Essentials certification. This will help schools assess their cyber security and bring the education sector closer to meeting minimum cyber security standards.

With government spending available and threats evolving, it opens the doors for organisation to invest in their cyber security. Adopting cloud services and SaaS solutions is effective because they are scalable to an organisation's growth, cost-effective, and beneficial to improving an organisation’s security posture. Costs are significantly reduced as SaaS platforms offer ‘out-of-the-box’ solutions, saving public sector organisation time and valuable resources by not building bespoke solutions. Organisation can be assured data is secure due to real-time backups which minimises data loss, and security updates and patching are routinely applied by SaaS providers, taking the pressure off in-house IT teams.

However, it’s important to understand that a SaaS platform alone will not prevent a cyber attack. Therefore, public sector organisations should assess and prioritise the following areas to strengthen their cyber resilience.

Cyber Security priorities and budget breakdown

Organisations must define where their cyber security priorities lie. Understanding the security priorities through a risk assessment will help align budgets with business goals for the year ahead. You need to consider the human element and expertise behind the tools that are being invested in, such as SIEM.

Organisations also need to consider how effective a particular platform will be in analysing vulnerabilities and consequently following procedures to monitor, manage and prevent cyber threats. However, throwing a blanket budget over your cyber security may result in key vulnerable areas being overlooked. Budgeting towards the following five key areas will help bring public sector organisations closer to improving their cyber resilience and protecting public data:

1. Penetration testing

   Penetration tests are an important part of any good cyber security strategy and can identify where an organisation is most vulnerable to a cyber attack. Penetration testers simulate real-world attacks across infrastructure, web applications, cloud environments and networks, searching for vulnerabilities that a hacker could exploit. Conducting regular penetration tests will help to demonstrate that public sector organisations take their cyber security seriously, protect against potential cyber attacks and enable them to achieve compliance.

2. Vulnerability scanning

   VA scans are an automated process that scans systems and applications for weaknesses and can help public sector organisations assess their security posture. By identifying areas most at risk of a security breach, vulnerability scans give public sector organisations a greater chance to fix issues before an attack. VA scans should be run regularly to identify areas for remediation to ensure public sector organisations are proactive against the latest threats and keep public data secure.

3. Managed SIEM

   SIEM solutions are powerful cyber security tools that have previously been out of reach for public sector organisations due to their cost and complexity. A managed SIEM is equipped to consolidate large amounts of data from multiple sources and can detect cyber attacks early to provide 24/7 monitoring and threat detection, incident response and comprehensive compliance reporting. By proactively monitoring data from networks to identify suspicious and malicious activity, a managed SIEM solution will ensure public sector organisations continue to operate with greater peace of mind. With government spending now available and managed SIEM tools more affordable, investing in a managed SIEM solution will greatly benefit and support the public sector to strengthen its cyber resilience and ensure public data is secure.

4. Endpoint protection

   Using an appropriate endpoint protection solution should be a core component of any organisations’ security strategy. This will ensure all devices are protected from threats such as malware and allow security vulnerabilities to be identified and remediated quickly. For example, endpoint protection delivers real-time scanning and can prevent data theft by providing the ability to lock down devices from reading/writing to external USB devices.

5. Security awareness training

   Cyber Security training is key to improving public sector cyber resilience and employee awareness of the security implications of their day-to-day actions. Empowering the workforce by enhancing their awareness of common cyber threats to organisations and public data, is a cost-effective and powerful strategy to combating cyber threats.

Public sector organisations should also be looking to secure their cloud infrastructure. Additional security measures are needed, such as stricter access controls to give only authorised personnel access to data and applications within the cloud. Limiting personal devices from accessing the cloud and enforcing stronger authentication requirements, such as multi-factor authentication, will strengthen an organisation’s security posture and help to minimise the risk of a data breach.

Case study: Looking at the NHS

Shifting to the cloud has greatly benefited public sector organisations like the NHS. It has meant better scalability (beneficial for data storage capacity), improved workflows and tools to support staff. By consolidating its IT services through cloud infrastructure, the NHS has reduced the costs of patching obsolete software and hardware, money that can be directed to improving technology, patient access to care, and strengthening the workforce. With the NHS adopting Windows 10 and Microsoft 365, it has opened the doors for more public sector organisations to embrace the digital transformation and shift to cloud and SaaS platforms.

The Microsoft and NHS deal (N365 agreement) gives over 1.2 million staff across 450 NHS organisations access to Microsoft 365. The benefits of the N365 agreement include better collaboration and communication between staff, evergreen licensing to ensure software and applications stay up to date and provide stronger baseline security. Working to a Good, Best, Better framework, which sets out security controls that organisations should meet according to their desired security posture, will help the NHS protect their networks and data more effectively. The NHS and Microsoft partnership shows the public sector placing their trust in cloud and has given them a much-needed push towards its technology, something which many other public sector organisations can now follow.