Key cybersecurity threats in the public sector

The public sector is not the private sector. So far, so obvious. But the difference isn’t just about the definitions – it’s in the details. Public sector organisations face different challenges around responsibility, funding, profitability and (wait for it) cybersecurity. 

 

Former US military CISO Gary Hayslip moved into the private sector in 2016, and describes those crucial differences in quite some detail. Public sector organisations accept cybersecurity directives as a necessity, but they don’t always have the budget or the mindset to implement them; they don’t have the corporate culture that makes fast change in large doses possible.

 

Of course, many cybersecurity professionals are looking to go back the other way, moving into the public sector. Public sector organisations are often well aware they have a skills gap to close and a talent shortage to meet. If either of these descriptions sounds like you, it helps to understand why the public sector is so vulnerable to cyberattacks, and what challenges face those who would prevent them.

 

 

In October 2018, a ransomware attack called WannaCry shut down 200,000 computers across the world, including machines in the NHS infrastructure. The hack caused 19,000 appointments to be cancelled, costing the NHS £20 million in a week and £72 million in cleanup and upgrades. It’s important to understand this wasn’t an attack on the NHS specifically; this was a sweeping attack on any vulnerable computer, which happened to include a good-sized chunk of the NHS’ machines. The public sector doesn’t have to be a target in order to be affected.

 

 

This isn’t to say that cybercriminals don’t find the health sector worth going after. A medical record is worth ten times as much as a credit card number on the black market. That’s why 34.5% of data breaches around the world take place in healthcare, compared to 4.8% in banking. (Education and the military hover between the two, at 9% and 6.6% respectively.) 

 

Cyber attacks on public sector bodies also come from hacktivists — people using cyber attacks to protest, promote or demonstrate a political point, like the hackers who shut down UK police websites and distributed stolen police data to oppose the arrest of Julian Assange in April 2019. These may be small acts of protest against schools and employers, whistleblowers casting an unwelcome light on the inner workings of the public sector, or international movements targeting corporations and governments on a grand scale.

 

Then, of course, there are state-sponsored cyber attacks – the “Russian hackers” you hear about on the news. In 2018, the National Cyber Security Centre identified a dozen cyber attackers as sponsored and supported by the Russian military intelligence service, and NCSC leader Ciaran Martin predicts that “we will be tested to the full, as a centre and as a nation, by a major incident at some point in the years ahead; what we would call a category 1 attack.” That is to say, an attack which causes sustained disruption of essential services or affects national security on such a large scale, and with such severe economic or social consequences, that people die as a direct result.

 

The public sector is vulnerable not only because it’s a politically and financially rewarding target, but also because the data it holds is so sensitive. Public sector organisations handle records of care, vulnerability and abuse; they hold intellectual property related to cutting-edge research; they represent a state body and its operations, and a successful attack on them is a successful attack on the state.

 

 

Budget constraints are a constant issue across the public sector. In this age of austerity and disruption, IT managers are often told to do everything with nothing – move with the times and bring in the latest technology on a budget which is at best frozen and at worst being cut.

 

There’s also the known skills gap around cybersecurity. Industry estimates suggest there could be three million unfilled vacancies in the cybersecurity sector by 2021. Demand, bluntly speaking, is outstripping supply.

 

Then there’s a misconception around cybersecurity’s value to public sector institutions. As institutions are forced to prove return on investment in order to secure funding, their leaders start to look for profitable ventures rather than preventative technologies and training.

 

Finally, there’s the public sector’s attitude to new technology. As society undergoes a digital transformation, as more data is stored, more applications run from the cloud, and more work is done virtually, public sector networks need to grow by 15-25% per year. Existing hardware struggles with the scale and complexity of user demand. It’s a problem because the public sector has historical concerns about the security of new technology, and tends to lock down data, restrict network expansion, and rely on proven solutions. This isn’t sustainable, even in the short term, as users will demand mobile access to government services and to their own data.

 

The good news is that cybersecurity isn’t just a preventative approach. The cultural changes and tech investments necessary to bring public sector bodies’ cybersecurity up to snuff also make daily operations more efficient and organisations more agile. Resulting improvements in productivity could save the NHS £14.8 million a year.

 

 

Now we know the threats, what does the industry need to do about them?

 

WannaCry was preventable – the ransomware program only spread through the NHS because the people using machines didn’t install software patches, and the people buying machines didn’t spring for a newer operating system.

 

 

60% of cybersecurity breaches in the UK are attributed to human error; general carelessness and staff failing to follow policies are primary contributors to poor cybersecurity practice. It’s not enough to have a policy. The institution needs to follow that policy, investing time and money in both newer, more secure technologies and appropriate training to keep those technologies secure. The people at the top of a public sector institution need to understand that, sooner or later, cybercrime will cause deaths. It’s not an IT problem that they don’t have to worry about.

 

Once institutional leaders start to take cybersecurity seriously, they can make concrete changes by bringing in the right talent to protect their institutions. The government is aware of the cybersecurity skills gap, and is rolling out initiatives like the Cyber Schools Programme and the new cybersecurity apprenticeships – a collaboration between private and public sector bodies.

 

On the whole, public sector bodies in the UK are moving in the right direction. 77% of public sector organisations claim they’re undergoing digital transformation, driven by concerns about efficiency and service provision. The public sector doesn’t have to make a total pivot that it’s not prepared for – this is more of an adjustment, a course correction on a journey that organisations are already taking.

 

 

Public sector organisations face a unique combination of cybersecurity threats. Being state bodies, they’re attractive targets for hacktivists and state-sponsored hackers from abroad; holding sensitive data makes them lucrative targets for conventional cybercrime. 

 

Tight budgets and a historical “best left alone” approach to new technology mean the sector’s falling behind the technology curve, while user demand and flexible working create a need for bigger, looser networks with more mobile and virtual devices included. 

 

Preparing to meet these threats isn’t just a matter of spending money and upgrading machines, though. It demands a cultural shift toward taking cybersecurity seriously. To close the loopholes which human error leaves in cyber defence, public sector organisations need to sponsor and recruiting the right talent.

 

 

Looking for cybersecurity jobs in the public sector? Start here.