Digital technologies are transforming organisations of all sizes in all industries. The objectives of these programmes are universal: they seek to drive efficiency and improve levels of service, opening up new ways of working in the process.
At the heart of digital transformation is the greater collection, analysis, and sharing of data between interconnected applications and devices. The expansion in the volume, variety and sensitivity of this information makes even the smallest organisation an attractive target for cybercriminals.
Because of the increased risk from cybercriminals, the government has introduced legislation that places security and privacy obligations on any entity (private or public sector) that handles personal data. Worryingly, the public sector has so far received of the majority of all fines issued by the UK data protection watchdog.
The need to shift away from traditional infrastructure-based security strategies towards a data-based approach is universal – so why is the public sector finding it so difficult?
The state of security
Issues of culture, resources and skills prevent public sector organisations from having the necessary agility to make changes. Some publicly funded and charitable institutions believe that they must hold themselves to higher standards than the private sector, because they are accountable to taxpayers and donors. A tender that might be approved in a few days in the private sector could take several weeks.
Additional red-tape and competing budgetary priorities can also add to the time it takes to get the necessary approvals and funding to make changes or sign off on purchases in the public sector. The need to adapt to the digital era is increasingly understood, but due to ongoing structural impediments, some organisations are still reliant on aging technologies and processes that inhibit their ability to move towards a new model of security.
Such challenges are compounded by a lack of in-house expertise. The ongoing shortage of cybersecurity skills is not unique to the public sector, but lucrative salaries at large corporations make it more difficult to recruit the best talent. Often, finding candidates with the right mix of knowledge and experience is next to impossible. Outsourcing is an effective way of coping with this shortage, but some departments face bureaucratic obstacles that prevent them seeking outside help.
The public sector’s data breach problem can also be explained by the type of data in its possession. While all organisations would suffer from disruption caused by an attack, the sensitivity of information handled by public agencies and their importance to everyday life make the consequences of a breach far more significant.
Local councils have details about the most vulnerable people in society. For example while NHS trusts possess extremely sensitive data that could cause serious harm or distress if it was to fall into the wrong hands. The issue of cybersecurity can even be a case of life or death. Earlier this year, the first ever human death indirectly caused by a cyberattack was reported in Germany after a ransomware attack delayed urgent treatment to a patient. Very few, if any, private sector organisations can afford that risk.
Other institutions have access to both personal and commercially sensitive data. For example, universities must protect the corporate and government information they are entrusted with, as well as the findings of research projects. The combination of lucrative bounty and lacklustre security is a tantalising prospect for hackers seeking to maximise their returns.
A simple example of a security risk would be a lecturer having access to sensitive information on a personal smartphone that isn’t controlled by IT, or subject to policies such as encryption and multi-factor authentication. This could prove disastrous if the device is compromised or lost. It would most likely result in a significant financial penalty.
The new normal
The recent reliance on communication and collaboration tools in the workplace has highlighted both the value of digitisation but also the need for data-based security strategies.
There has been a surge in hacking attacks on home workers as criminals seek to exploit any weaknesses and people’s natural curiosity for information. New attack vectors have emerged, including unsecured Zoom video chats and, again, the public sector has been a major target.
One report suggested that a quarter of local government workers are using consumer file sharing tools to complete work tasks. Meanwhile, the National Cyber Security Centre (NCSC) recently issued an alert to the academic sector following a spike in ransomware attacks following the return of students in September.
The consequences of a successful phishing attempt or ransomware attack might not materialise for months, or even years to come, but can undermine public trust in institutions and cripple essential services. The need for modern security technologies, processes and training in the public sector has never been more clear.
Fortunately, change is happening. The spectre of huge fines for GDPR infringements has sparked action, awareness, and a desire for specialist knowledge. True transformation doesn’t take place overnight, but there are a couple of ‘easy wins’ to increase protection by tapping into the knowledge of partners and vendors.
The first is through the greater adoption of cloud applications and infrastructure. The cloud not only aids wider digitisation efforts but is also more secure than legacy infrastructure thanks to investments made by public cloud vendors (Microsoft spends £1 billion on protecting Azure every year) and because updates are applied automatically.
Many of these cloud platforms have government-specific security certifications that allow them to host public sector workloads and store sensitive data.
The second is to become smarter with cybersecurity purchasing. There’s no point in buying products that can’t be used to their fullest potential because of a lack of resources, or buying many different technologies that don’t work together effectively. Public sector organisations should centralise their security tools through a management platform or via an outsourcing agreement that creates real value.
Some departments find it difficult to outsource security because of the associated red tape, but two thirds of public sector organisations are pursuing this path. Working with a trusted partner can help offset the skills gap and ensure that organisations have the right level of protection.
Find out how Insight can help public sector organisations protect themselves in the new normal. Call your Account Manager today: 0844 846 3333