Why Cyber Essentials isn’t enough
A Cyber Essentials certification is a significant first step in protecting your business against cyberattacks. By annually renewing your…
CEO and Co-Founder
2nd March 2022
Cyber Security is one of the biggest challenges public sector organisation face today. It’s estimated that 40% of the 777 threats managed by the NCSC (National Cyber Security Centre) between September 2020 and August 2021, were aimed at the public sector. Public sector organisation are an attractive target for hackers due to the amount of valuable personal data that is held. With remote and hybrid working becoming the norm as a result of the COVID-19 pandemic, employees have become more exposed to cyber attacks due to IT teams having reduced visibility of home networks and employees accessing data from personal devices.
So, what are the challenges that lie ahead for public sector organisation and how they manage their cyber security in 2022? Furthermore, how can these organisation place budgets accordingly to ensure public data and infrastructures are adequately managed and protected? This blog will highlight the cyber security risks the public sector faces, explore solutions to these threats and help organisation budget accordingly for the year ahead.
The government continues to build strong cyber security defences across the public sector to secure services and data. However, challenges persist in achieving even baseline technical standards to meet the Minimum Cyber Security Standard (MCSS). This is a security standard public sector organisation need to work towards to achieve basic cyber security resilience.
Public sector organisation have many entry points for hackers to exploit. Phishing, malware, denial of service (DoS) and ransomware are amongst the largest common threats these organisation face daily. For example, the Education Annex of the Cyber Security Breaches Survey 2021 found 26% of colleges faced data breaches or cyber attacks on a weekly basis. The material outcomes of these attacks resulted in compromised user accounts, loss of control (denial of service), and loss of data and money due to ransomware. Outdated operating systems and technology across healthcare and education also poses a great risk to the public sector as hackers actively exploit known vulnerabilities. So, why do these risks exist and what has prevented public sector organisation from addressing these threats?
Limited cyber security knowledge: Employees who aren’t aware of cyber security risks leave public sector organisation vulnerable to attacks. For example, weak passwords can lead to data breaches, while limited knowledge of phishing scams can lead to employees revealing sensitive data to hackers. Remote working has additional risks too, such as employees using unsecured networks (free Wi-Fi in public places) or storing unencrypted sensitive data on USBs.
Insufficient funding: With the public sector typically underfunded and lacking resources, organisation can expect to be ill-equipped to deal with potentially devastating data breaches and cyber attacks. Lack of funding prevents organisation from addressing their security risks and investing in tools, such as Security Information Event Management (SIEM), to proactively monitor and investigate cyber threats. Insufficient funding is problematic for organisation as in-house IT teams lacking cyber security knowledge and skills will not be able to provide effective remediation against attacks.
Skills shortage: The public sector struggles to compete with the private sector on recruiting cyber security talent. In 2021, the global shortage of cyber security skilled workers fell from 3.2 million to 2.72 million, with the shortage increasing by more than third in the UK in just a year. A lack of resources, due to the private sector offering higher salaries, will have an impact on the security posture of public sector organisation as they struggle to compete for the best personnel in the field.
Patching and legacy IT: £2.3 billion of all IT government funding is allocated to patching. However, there remains a reliance on legacy systems which can no longer be patched (the Police National Compute (PNC) has been in use since 1974). This leaves organisation extremely vulnerable and at serious risk of suffering cyber attacks.
Data breaches will remain a persistent threat to organisation in the public sector due to the rich quantity of public data organisation hold. In fact, of the 54% of all data breach fines issued by the ICO, local councils were responsible for the majority. For example, in 2020, former Reablement Officer for Walsall Council was prosecuted and fined for accessing and unlawfully obtaining unauthorised personal data. There was also a ransomware attack on Hackney Council which led to documents being leaked on the dark web, and a separate malware attack on Gloucestershire City Council.
These examples emphasise the inefficiency of existing security measures and a lack of development in security strategies to combat cyber threats. Until organisation have measures in place to monitor, manage and mitigate risks to their services and public data, cyber attacks against public sector organisation show no signs of abating. Therefore, it is imperative that cyber security remains as an integral part of a public sector organisation’s annual budget.
Let’s look at funding because without it, strong cyber security measures cannot be properly procured and implemented to protect the large amounts of public data and maintain public trust. In the government’s 2021 Spending Review and Autumn Budget, it was proposed that over £2.6 billion was being invested in cyber security and legacy IT across the 2021 period. £37.8 million of the budget was invested in local authorities to help improve their cyber resilience, protecting vital services and data. For example, the RPA Pilot (Risk Protection Arrangement) was developed by the Department for Education (DfE) as a free 1-year pilot to establish a school-specific package of the Cyber Essentials certification. This will help schools assess their cyber security and bring the education sector closer to meeting minimum cyber security standards.
With government spending available and threats evolving, it opens the doors for organisation to invest in their cyber security. Adopting cloud services and SaaS solutions is effective because they are scalable to an organisation's growth, cost-effective, and beneficial to improving an organisation’s security posture. Costs are significantly reduced as SaaS platforms offer ‘out-of-the-box’ solutions, saving public sector organisation time and valuable resources by not building bespoke solutions. Organisation can be assured data is secure due to real-time backups which minimises data loss, and security updates and patching are routinely applied by SaaS providers, taking the pressure off in-house IT teams.
However, it’s important to understand that a SaaS platform alone will not prevent a cyber attack. Therefore, public sector organisations should assess and prioritise the following areas to strengthen their cyber resilience.
Organisations must define where their cyber security priorities lie. Understanding the security priorities through a risk assessment will help align budgets with business goals for the year ahead. You need to consider the human element and expertise behind the tools that are being invested in, such as SIEM.
Organisations also need to consider how effective a particular platform will be in analysing vulnerabilities and consequently following procedures to monitor, manage and prevent cyber threats. However, throwing a blanket budget over your cyber security may result in key vulnerable areas being overlooked. Budgeting towards the following five key areas will help bring public sector organisations closer to improving their cyber resilience and protecting public data:
Penetration tests are an important part of any good cyber security strategy and can identify where an organisation is most vulnerable to a cyber attack. Penetration testers simulate real-world attacks across infrastructure, web applications, cloud environments and networks, searching for vulnerabilities that a hacker could exploit. Conducting regular penetration tests will help to demonstrate that public sector organisations take their cyber security seriously, protect against potential cyber attacks and enable them to achieve compliance.
VA scans are an automated process that scans systems and applications for weaknesses and can help public sector organisations assess their security posture. By identifying areas most at risk of a security breach, vulnerability scans give public sector organisations a greater chance to fix issues before an attack. VA scans should be run regularly to identify areas for remediation to ensure public sector organisations are proactive against the latest threats and keep public data secure.
SIEM solutions are powerful cyber security tools that have previously been out of reach for public sector organisations due to their cost and complexity. A managed SIEM is equipped to consolidate large amounts of data from multiple sources and can detect cyber attacks early to provide 24/7 monitoring and threat detection, incident response and comprehensive compliance reporting. By proactively monitoring data from networks to identify suspicious and malicious activity, a managed SIEM solution will ensure public sector organisations continue to operate with greater peace of mind. With government spending now available and managed SIEM tools more affordable, investing in a managed SIEM solution will greatly benefit and support the public sector to strengthen its cyber resilience and ensure public data is secure.
Using an appropriate endpoint protection solution should be a core component of any organisations’ security strategy. This will ensure all devices are protected from threats such as malware and allow security vulnerabilities to be identified and remediated quickly. For example, endpoint protection delivers real-time scanning and can prevent data theft by providing the ability to lock down devices from reading/writing to external USB devices.
Cyber Security training is key to improving public sector cyber resilience and employee awareness of the security implications of their day-to-day actions. Empowering the workforce by enhancing their awareness of common cyber threats to organisations and public data, is a cost-effective and powerful strategy to combating cyber threats.
Public sector organisations should also be looking to secure their cloud infrastructure. Additional security measures are needed, such as stricter access controls to give only authorised personnel access to data and applications within the cloud. Limiting personal devices from accessing the cloud and enforcing stronger authentication requirements, such as multi-factor authentication, will strengthen an organisation’s security posture and help to minimise the risk of a data breach.
Shifting to the cloud has greatly benefited public sector organisations like the NHS. It has meant better scalability (beneficial for data storage capacity), improved workflows and tools to support staff. By consolidating its IT services through cloud infrastructure, the NHS has reduced the costs of patching obsolete software and hardware, money that can be directed to improving technology, patient access to care, and strengthening the workforce. With the NHS adopting Windows 10 and Microsoft 365, it has opened the doors for more public sector organisations to embrace the digital transformation and shift to cloud and SaaS platforms.
The Microsoft and NHS deal (N365 agreement) gives over 1.2 million staff across 450 NHS organisations access to Microsoft 365. The benefits of the N365 agreement include better collaboration and communication between staff, evergreen licensing to ensure software and applications stay up to date and provide stronger baseline security. Working to a Good, Best, Better framework, which sets out security controls that organisations should meet according to their desired security posture, will help the NHS protect their networks and data more effectively. The NHS and Microsoft partnership shows the public sector placing their trust in cloud and has given them a much-needed push towards its technology, something which many other public sector organisations can now follow.
It’s clear the public sector is ready for cloud technology and SaaS platforms, as demonstrated by the NHS. By investing in a modern cyber security strategy and the appropriate cloud infrastructure, vital resources such as time, personnel and money can be saved while protecting the organisation from malicious threats and data breaches.
Here are some key takeaways that we’d recommend for public sector organisations:
Understand your current security posture and key areas where budgets can be applied to help secure business and public data from hackers.
Employees are your first line of defence. Strengthening their knowledge of common cyber attacks is crucial to protecting your organisation from internal and external threats.
An outsourced service like a managed SIEM solution does not mean completely outsourcing your security. Organisations still need to be aware that the security of public data is still their responsibility, and they must follow best security practises and remain compliant to protect their network and data.
Choosing the right SaaS vendor to meet your cyber security needs will determine how much value you receive from their services. An all-in-one platform which covers key cyber security elements such as a managed SIEM, penetration testing, endpoint protection, vulnerability scanning and staff awareness training will help businesses grow, improve workflows and save costs.
A Cyber Essentials certification is a significant first step in protecting your business against cyberattacks. By annually renewing your…
For a lot of companies, ‘getting compliant’ with something in cyber security or data protection usually means people’s eyes roll…
First launched in 2014, the Government-backed Cyber Essentials certification scheme has been a key security tool for businesses…
As an IT manager, you’ll know that cyber security is a specialist subject with its own skillset, certifications, and technologies…