Nash Kapoor, VP EMEA at Alsid, discusses the key consideration for local governments looking to protect digital infrastructure from cybersecurity vulnerabilities
With research indicating that local and regional authorities face an average of 19.5 million cyberattacks each year, a figure equating to 37 cyberattacks per minute, it has become essential for such organisations to understand the grave nature of this danger. In order to protect vital services and critical data, all types of government must be aware of the vulnerabilities in their digital environments and resources needed to combat this growing threat.
This is especially important at a time when the economy is contracting due to COVID, and local governments are under financial pressure as well as pressure to make the best possible use of resources by focusing on priority areas. Very few leaders in any sector would relish adding ‘responding to a ransomware attack’ to their organisation’s to-do list in the current climate.
Recognising the threat
Understanding key vulnerabilities is essential to developing an effective and sustainable cybersecurity strategy; which is not as difficult as it may initially seem. Most cybercriminals take the same routes of attack, targeting similar assets and benefiting from a lack of wider understanding of their methods. Indeed, one report from 2018 found that three in four councils had not provided the mandatory cybersecurity training to staff, with 16% not providing any training at all. Training is only one part of the puzzle, but all organisations, big and small, benefit from more effective security training. This applies to IT teams as much as it does to employees in other parts of the organisation, since some areas of the IT estate can be forgotten or assumed safe, when in fact they require more care.
The Microsoft Active Directory (AD), which manages the systems access control rights of users, can be a powerful tool to prevent cybercriminals from infiltrating an organisation’s infrastructure by neutralising numerous different threats and attack vectors – if it is properly configured and monitored. When a local government employee seeks access to a file on the authority’s server, the AD verifies their identity and access rights. But once a cybercriminal has penetrated a network’s peripheral protection – and today this is a question of ‘when’ not ‘if’ – manipulation of access controls through the AD is a common hacking approach. By changing access rights, a hacker can readily gain control of admin rights and systems, disrupt the provision of essential services, and steal sensitive data such as personally identifiable information (PII). Public data theft is a lucrative commodity for cybercriminals because of the nature of the data local authorities and governments hold.
It makes sense to focus on the AD because it is a system which is the target of so many different types of attacks. Ensuring it is properly secured is not a security panacea, but pound for pound will protect against a higher number of different types of attacks than many other IT security investments. But also because the AD is inherently vulnerable due to misconfigurations or a lack of knowledge on how to properly secure it.
The level of vulnerability in the AD varies across organisations, predicated on an organisation’s cybersecurity strategy and protective architecture. Some deploy software as an additional layer of security, but this is often bypassed by sophisticated hackers. But the wider issue here relates to awareness and the consistency of systems’ monitoring. Many local authorities (and plenty of other organisations) cannot afford to simply implement and manage yet more security software to safeguard access rights to its systems. They must adopt an intelligence-based strategy, managing access rights and operational efficiencies through constant monitoring and proactive intervention.
The bigger picture
Wider developments in the digitisation of infrastructures by local authorities bring a range of benefits. These include data-driven improvements to budget and resource efficiencies, more targeted end-to-end service provision, and better crisis management capabilities. But with almost half of councils in the UK having been the target of cybercriminals since the beginning of 2017 it is crucial for local authorities to understand the nature of their own cyber vulnerabilities. And, considering the benefits that digitisation delivers, there is an onus on authorities to be proactive in devising and monitoring their own digital defence strategies.
A case in point
In the summer of 2019, the United Nations’ European headquarters in Geneva and Vienna suffered a major cyberattack focusing on the Active Directory, showing other organisations exactly how not to be cyber secure. With the hack being discovered over a month later, upward of 40 of the institution’s servers were infiltrated, with the hackers syphoning approximately 400GB of sensitive data. Upon investigation by an IT forensics firm, a series of security holes in the UN’s digital architecture were discovered, which the hackers had exploited to gain access.
Taking advantage of weaknesses in the system’s security protocols to remotely bypass logins and issue system-level commands, they managed to gain access to a vulnerable SharePoint deployment from where they could give themselves admin access to internal networks. In this way, they infiltrated the UN’s Geneva headquarters and then the office of the United Nations Commission for Human Rights (OHCHR).
This ability to override login safeguards amounted to a fundamental security breach, and this incident demonstrates the fundamental necessity of organisations developing digital security strategy at the point of access. Auditing for vulnerabilities is also something that should be undertaken at regular intervals and not just after a security breach has occurred.
Cybersecurity must be a fundamental consideration for local authorities even when budgets are under pressure. In the context of local government, the impact of any cyber attack can be detrimental to stakeholders ranging from authority staff to service users in the community. An operational culture with a focus on security begins with leadership – and this must come from the top of the organisation, not only the top of the IT function. It is vital that elected representatives and corporate leaders alike are equally informed and engaged with this important issue to prevent more data breaches resulting in GDPR fines and service users’ data being released into the wild.
To avoid the doomsday scenario of a huge data breach or crippling ransomware attack, an awareness of the importance of data security must be nurtured across all areas and departments of local government. A robust infrastructure will ensure that all essential data is backed up to mitigate the worst effects of human error or cyber-attack. But on top of this, an awareness of security in terms of all operations and data generation is paramount. This includes work email and the management of personal access details. Those are all fundamental building blocks, but primarily local authorities must manage all systems access rights and operational efficiencies through constant and proactive security awareness.