The public sector is vulnerable to cyber attacks and a crippling attack on a major public sector organization is a real risk for 2021. Steve Robinson explains why this is the case and what public sector organizations need to do to mitigate the risk.
In 2017, the now-infamous WannaCry ransomware attack brought the UK’s National Health Service (NHS) to its knees, encrypting vital patient data and demanding Bitcoin payments for its release. It was, and still is at the time of writing, the most devastating cyber attack to occur in the UK. The UK’s National Cyber Security Centre (NCSC) regarded this as a ‘tier two’ attack in their five-tier ranking system, with tier one being the most devasting.
Less than six months after the WannaCry incident, the chief executive of the NCSC, Ciaran Martin, went on record to say that a crippling ‘tier one’ cyberattack was now a matter of when not if. This is the current state of play, and governments ought to be very concerned.
Public sector cyber attacks are particularly destructive because they impact so many lives. The NHS is just one example of a government-owned entity succumbing to a ransomware attack. When you consider how much government bodies facilitate of our every-day lives, from passports and driving licenses to social care, education and even waste collection, the true scale of the threat becomes very apparent. The problem is that while businesses and private entities are repeatedly told to put their security first, with stark reminders in the form of attack after attack, that level of urgency seems to be lacking in the public sector. A report last year from Verizon revealed that nearly 47 percent of data breaches in the public sector weren’t discovered until years after the initial attack. This shows that it may already be too late with time-ticking cyber threats already installed with government services just waiting to go off. Action is needed now to identify, eradicate and put up further barriers to prevent additional attacks.
What makes the public sector vulnerable?
Unlike the private sector, public sector organizations can’t justify IT spend to protect investment, future profits, and shareholder dividends. They’re not necessarily profit-driven and are there to provide a service rather than reward shareholders, so it may often feel like there’s less at stake. This can manifest itself in the form of slow decision-making and inadequate training, as well as outdated IT infrastructure that’s often deemed too expensive to update.
Training, by far, is still one of the most pressing issues facing organizations today. The most recent Cyber Security: Skills In The UK Labour Market report found that more than 54 percent of the roughly 1.3 million businesses in the UK lacked the skills or confidence to carry out basic cyber security tasks, such as creating back-ups or managing access privileges.
Software updates, or a lack thereof, also create critical vulnerability. Having the right IT team in place, or an outsourced equivalent, can easily remedy this and close the gap. This does require resources, however, and that’s where a lot of public sector businesses struggle. Even after the WannaCry attack, it was more affordable for the NHS to pay Microsoft to extend their support for Windows 7 (a limited service they offered at a premium cost for specific use cases) than it was for them to sufficiently update their systems nationwide.
The above highlights two critical differentiators between the public and private sector; the time and resource to train staff, and the hours and resources to keep systems up-to-date and secure. With public sector budgets under constant scrutiny, it’s hard to justify investing in cyber security training for staff when there are so many competing calls on available cash, especially true in the NHS and social care. Public sector organizations, such as broad governmental departments, are also likely to be much larger with fewer resources while adapting a more nine-to-five mentality. This makes it harder for public organizations the close the gap and ensure their systems are robust and secure.
Why is the public sector being targeted?
Public sector attacks are on the rise and, as the NCSC points out, it’s only a matter of time before a devastating tier-one attack occurs. Almost one in five breaches in 2019 involved the targeting of public sector organizations, which is surprising as we’ve already talked about how vulnerable public sector organizations are to cyber attacks. They’re an easier target than the average business and there are several more reasons why government-run organizations might be targeted.
Ransom payments, like the WannaCry attack, are rare and the UK government has a policy of not paying cyber criminals. Nevertheless, it does happen, and governments need to remain vigilant. Money is a key motivator, but it’s not the only one. Political gain through accessing government systems and influencing elections on a local or national level is also a definite motivator.
However, when in doubt, ‘follow the money’ usually still applies. The principal motivator for an attack on a public entity is likely to be the commercial gain that can be had from gaining access to sensitive information and trade secrets, that can then either be used or auctioned off to the highest bidder.
What can public sector organizations do?
One key thing to remember is that cyber criminals are opportunists. That means even if they aren’t specifically targeting a government or local authority, they could still cause some severe damage by proxy. By far, this comes down to two effective and cost efficient work streams. Having a cyber response plan for when the inevitable happens and user awareness and education. The public sector often has tight budgets when it comes to cyber security but its critical for public sector organizations being as prepared as they would be for a fire, and having a concise and tested plan of action should a cyber breach occur. Budget for staff training is even tighter, and having staff that are able to recognise ransomware or phishing scams, and are willing to use tools like two-factor authentication, is going to be critical in the public sector’s defence against rising incidents of cybercrime.
It’s true that up to date software and infrastructure are critical components of a robust security model, but as with all aspects of business and government, it really does start with people. If people are trained well and made aware of the risks, an organization can increase its overall risk posture, and decrease the personal impact of any breach on the individual.
Steve Robinson is the CEO of Littlefish.