How to enhance the cybersecurity landscape in the public sector

When it comes to cybersecurity, the public sector is renowned for being severely underfunded, leaving it limited with the resources it can depend on. To make the cybersecurity landscape worse, there is a lack of available security talent to fill an ever-growing list of positions

Unfortunately, this has left the door wide open for the sector to be targeted and exploited by cybercriminals.  

From military and law enforcement to transportation, education and healthcare, businesses in the public sector must juggle the protection of sensitive data on their systems while continuing to adopt more digital services and technologies. Naturally, cybersecurity gaps appear, leaving valuable personal information within reach of prying eyes.  

The rise in attacks: The bleak cybersecurity landscape

When examining the cybercrime landscape from 2023, there was a meteoric rise in attacks. In the third quarter of the year, global ransomware attacks were up 95% from 2022. The global average cost of a data breach jumped to $4.45 million this year, a 15% increase over the last three years. Additionally, social engineering and its multiple variants — phishing, vishing, spear phishing, smishing, and others — remain the most common entry point for between 70 and 90% of all malicious breaches.  

Social engineering is a growing threat in today’s digital world, where attackers use manipulation to gain access to sensitive information. We must understand the mindset behind social engineering and discuss how attackers use deceptive tactics to gain trust and access. There are various motives behind these attacks and how attackers use psychological techniques to gain access. It’s important to know how to recognise and protect from social engineering attacks, as well as how to create a culture of awareness and prevention in your organisation. By understanding the psychological elements of social engineering, the public sector can better protect itself from these threats.  

Furthermore, the rise of Generative AI has presented a new concern because it allows hackers to engineer new malware faster, design better-quality messages and even produce phone calls that more accurately mimic natural language. As such, the speed, scale and scope of attacks against the public sector will only continue to grow.  

The UK cybersecurity landscape

In the UK, public sector organisations have faced some significant attacks. For example, security incident trends data released in November 2023 by the ICO, noted that there were 10 ransomware attacks on England’s central government in the first six months of 2023— doubling the total number of successful attacks on Whitehall departments since records began in 2019.  

In January 2023, the Royal Mail fell victim to a ransomware attack at the hands of LockBit. The group hacked into the UK’s postal services’ software and blocked all international shipments by encrypting files. In June 2023, Barts Health NHS Trust, the largest health trust in the UK, was hit by a ransomware attack by ALPHV, aka BlackCat. The attackers claim that 7TB of sensitive data was stolen in what is believed to be the biggest breach of healthcare data in the United Kingdom. In August 2023, the UK Electoral Commission issued a public notification that its database had been breached and the personal data of approximately 40 million people exposed.

And these attacks are just the tip of a very big iceberg

Yes, let’s break it down. If 70 to 90% of ransomware attacks are the result of social engineering and phishing, then fortifying the most vulnerable link in the cybersecurity layer – the human – can be the most cost-effective way to help organisations better protect themselves against the rising wave of attacks in the public sector.

Empowering the human security layer

It’s only natural that individuals lacking the knowledge to spot security threats will more likely be duped by them. Again, those who don’t have the appropriate awareness of organisational processes for reporting cybersecurity threats cannot be relied upon to be the last line of public sector cyber defence. These issues can be avoided if organisations in the public sector implement regular security awareness training along with technology that enables the workforce to alert to threats.  

Modern security awareness training consists of a variety of educational elements, designed to engage and inform staff of all backgrounds, experiences and ages, on how they can improve their own security awareness levels. This includes interactive training modules, videos, posters, games and newsletters. In doing so, the overall strength of the company’s security culture will begin to prosper. Ultimately, addressing the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics requires a new-school approach to security awareness training which will mobilise end users as the last line of defence and reduce human risk.

This piece was written and provided by Javvad Malik, lead security awareness advocate at KnowBe4