Holding the public sector to ransom

Marie Clutterbuck, CMO at Tectrade, examines the current cyber climate in the public sector and highlights some of the precautions organisations should take to shore up defences

Despite reports to the contrary, ransomware has remained a pervasive threat throughout many industries. According to the SonicWall Cyber Threat Report, the first half of 2019 has seen a dramatic resurgence of the crime, with a 195% increase in attacks on UK businesses. The public sector is increasingly being targeted, with new research revealing that nearly a fifth of UK public sector organisations reported more than 1,000 cyberattacks last year alone.

This change of target is perhaps symptomatic of public sector organisations rushing to keep pace with digital transformation and to modernise their infrastructure. But instead of a security led approach, organisations often prioritise new digital services and technology – only considering the security implications afterwards. This effort to expand digital services also create more avenues for would-be cyber criminals to exploit, as each new entry point to the network creates a new point of attack.

Additionally, unprecedented cost pressures over the past decade have left organisations underfunded and consequently over-reliant on patchwork legacy systems, outdated software and hardware that creates more vulnerabilities within the system.

And this isn’t only a UK wide problem. There’s been an alarming upturn in attacks across the US, where two cities in Florida were recently brought to a standstill and ended up paying a combined total of around $1 million for the safe return of their data. Schools across Louisiana have also been hit – with the governor even declaring a state of emergency as a result.

Atlanta and Baltimore have also been hit. Baltimore’s March 2018 attack is a prime example of how ransomware attacks are increasingly crossing the cyber sphere into the physical one and can endanger real lives, as the city’s 911 system was brought down for up to 17 hours – severely crippling emergency services. Even the South African capital of Johannesburg has felt the impact of such attacks, as the city suffered sporadic blackouts across the city when its power grid was hit by ransomware back in July this year.

The argument rages on about paying for your data and systems to be unencrypted, with many pointing out that paying only perpetuates the crime. When you consider that the ransom demand for Baltimore’s attack earlier this year was only 13 Bitcoin (roughly £125,000 as the value of Bitcoin currently stands) – a relatively low figure compared to the potential repair costs – it may seem that paying might be the best option as repair costs can be up to 10 times the value of the ransom price. However, as reported by SentinelOne, as little as 26% of those who pay have their data safely returned back to them. And even when returned, there is no guarantee it won’t have been tampered with and is safe to use.

Furthermore, the debate is even more contentious in the public sector, because these organisations use public money and are thereby obliged to keep the public informed, unlike their private counterparts where many attacks, and subsequent payments, often remain undisclosed. This means that whatever the outcome may be, the government officials are always accountable to the taxpayers which makes the process a whole lot more complicated than simply opting to pay the ransom demand, no matter how small it may be. It’s a difficult dilemma as city administrators have to weigh up paying the ransom against having an entire city brought to a standstill and potentially paying millions on repair costs.

So far, the UK public sector has gotten off relatively lightly in comparison to its western neighbour. But as we’ve seen in several other sectors, it isn’t a question of if, but when. In fact, The National Cybersecurity Centre (NCSC) expects there to be a category 1 attack in the country in the near future, and to put that into perspective, WannaCry – which deeply affected the NHS in 2017 – was only a category 2. It’s clear that the UK public sector needs to take heed of the incidents that are happening around the world and take a more proactive approach to cyber security – rather than a reactive one where any measures taken will already be too late.

With this in mind, organisations need to rebalance their priorities and put more stock into crisis preparation, rather than only focusing on preventative measures. To the layman it may sound like a surprisingly mundane solution, but organisations must have effective back-up and recovery measures in place to prepare for the inevitable cyber-attack, or even simple IT failures, which still today is all too often overlooked. With the so called ‘zero-day’ recovery approach, data is organised according to its operational and strategic value, to allow operations to resume as quickly as possible in case of a breach.

In practice, this means that the most important set of data or systems to business continuity is scheduled to be recovered first, within minutes if need be, while other less critical workloads can be left to wait a little longer. This ranking allows organisations to benefit from the cost-efficiencies of slower recovery times for less critical information whilst ensuring business can continue as normal in the meanwhile. An effective storage backup system requires backups to be stored offsite in a variety of servers, both physical and cloud, to ensure a backup will always be at hand when the need arises. For any of this to work, however, the recovery strategy needs to be prepared for in advance – before an attack has a chance to take place.

This kind of approach won’t make organisations invulnerable, but by preparing for the worst and setting up appropriate recovery systems public organisations will have a fighting chance for when the worst happens. And crucially, allow them to recover data without paying the ransom, leaving them with happy constituents, a clear conscience and keeping them out of the polarising debate.