Many large-scale organisations in the public sector are becoming increasingly aware of their vulnerability to cyber security attacks: how do we improve digital security in the public sector?
Even if they have equipped themselves with the best, cutting-edge security technology available in the market today, few can rest on their laurels when it comes to the very real possibility of being targeted by hackers. In fact, when it comes to the crunch, technology doesn’t provide the solution to a cyber attack at all, but people do. That is why understanding the best response to an attack at the point of impact, cannot be underestimated.
What makes this sector so vulnerable is it has access to and retains a unique and extensive data set covering every aspect of every citizen’s life from birth to grave; whereas private companies in general only know what people are willing to tell them and consequently the information held is limited to the transactions we make and relevant supporting data. In most cases security breaches that take place within a private company won’t be life-threatening, though they might be costly in terms of reputational damage and may equally cost some customers money. But in contrast, the reality is, some public sector organisations hold data that may just cost people’s lives.
Two of the most important threats facing the public sector:
1. Loss of personal data to criminal intelligence and those individuals whose use of the information will certainly cause major issues; for example, if your tax records got into the hands of unauthorised parties.
2. Data unavailability or data corruption, such as when the NHS was held to ransom by WannaCry. In this case, when patient records cannot be accessed quickly at the point of an emergency, there’s a real risk that seriously ill people could die as a result.
Although these threats are significant in terms of impact, there are a number of other areas for concern too. Data leakage is relatively rare within public sector organisations, but often makes it into the public eye, mostly causing embarrassment, but occasionally there are more serious threats such as officials who lose USB memory sticks, tablets and laptops left on trains, along with using public Wi-Fi hotspots, which are easy to hack. All of these common incidents can mean passwords become known to an unauthorised person, which in itself poses increased threat.
As software development becomes more agile, increasing use of containerisation can mean some loss of visibility for IT Managers who may not be aware if new releases are adequately protected or not. This is easily corrected by using vulnerability scanners, but busy development teams don’t always keep up to date with the necessary activity and sometimes these scenarios can slip under the radar.
Reaction and response
How organisations react and respond to threat is of course, the most important aspect to prepare for. The recent publication of personal information about hundreds of German politicians including emails and personal chat is just one real example of a situation where the response could have been handled differently. The Government might have wanted to keep quiet about exactly what happened regarding the leak of data (to avoid further attacks) but the anodyne statements that amount to little more than “we’re looking into it” don’t exactly reassure the general public. Arguably most of us would not regard embarrassed politicians as that important, but if you turn that on it’s head and imagine everything about you personally, being published online, it conjures up a very different picture.
When FIFA was hacked in March last year, it kept that revelation to itself until the confidential information started to find its way into journalists hands in November. In this case, being reactive is not a good position to be in, and best practice measures adopt an ‘honesty is the best policy’ approach to ensure that we give members of the public the earliest possible warning that their data has been, or may have been compromised.
So how can public sector companies adopt the right strategy to reacting and responding to threats and security breaches should they happen? One positive example in many countries is the complete separation of highly sensitive systems from the outside world. Put simply, if your database which contains highly confidential information can ONLY be accessed via a secure space then you cannot be hacked, especially when there are no USB ports in the machine. This is however not compatible with making government services accessible in digital form to citizens.
Two-factor authentication is also becoming increasingly common (similar to the scenario where you log in to your own internet banking and the transaction can only be completed with a special code delivered to your mobile phone). Using password managers rather than allowing people to set a memorable, and therefore weak, password for themselves is also becoming more widespread. It’s still not uncommon to see obvious passwords being used by IT professionals, who should know better.
The most important aspect of responding to a security breach when it happens is early detection. Hackers can often be detected by unusual behaviour on the system, but only if you invest in up to date tools to detect this activity. Once you have detected odd behaviour, you must have an experienced security investigation team ready to investigate immediately and if there is the slightest doubt that data could be open to attack, you should shut down access to the relevant systems immediately. If your organisation lacks those capabilities, it may be better to use a trusted cloud service to host the data.
There are also regular steps organisations can take to prepare for the worst. This includes regular checks for vulnerability, these checks are important and ensure your threat protection measures are up to date: i.e. scanners, event monitors, blockers and the like are only useful when they are equipped to deal with the newest malware. This is all extremely costly, but on reflection, much less so than the consequences of a successful cyber attack.
Locate the ‘cause of the cause’
Effective problem-solving in the event of a data breach is identifying the root cause of the attack, so always seek to identify the exact difference in behaviour of a suspect system, when compared with normal operations. If you can characterise the symptoms accurately, your security experts will find it much easier and faster to diagnose the problem and put a stop to it.
If a cyber attack strikes, the principles are just like that of a crime scene: you have to look at which way the body is lying and the angle the bullet entered in order to build on the initial investigation. So the vital questions to be asking are: How exactly was the breach identified and in what way was the system behaving out of the ordinary at that time?
Responding quickly while under pressure can be difficult of course, particularly when you are dealing with the compromise of life-threatening data, For the technical teams involved, it’s important that directors support them to go an extra step or two in investigation: not just looking into the cause of this specific data loss, but the cause of the cause itself.