Government bodies are targeted by cyber criminals intending to steal sensitive data or launch a disruptive ransomware attack, says Jon Fielding
Government bodies have strengthened their defences in recent years, in line with the policies and investments set out in the Government Cyber Security Strategy 2022-2030. However, security teams mustn’t underestimate the ever-increasing ‘internal threat’ posed by employees who store, process and transport data on mobile devices.
Each year, Apricorn issues Freedom of Information (FoI) requests to several UK government departments to examine the security of devices held by public sector employees. This time, HMRC disclosed that 635 devices had been lost or stolen over the last year, including 387 mobiles, 244 tablets and four USB drives, a 45% increase in the same period in 2020-2021 (346). The Department of Business, Energy and Industrial Strategy admitted to 204 lost and stolen devices – almost double the 107 declared the previous year.
The Home Office had 469 devices lost and stolen in the year to September 2022
The Home Office had 469 devices lost and stolen in the year to September 2022. The Ministry of Defence (MoD) was not far behind, with 467 mobiles, tablets and USB devices unaccounted for. The Prime Minister’s Office reported 203 misplaced devices, while the Department for Education (DfE) confirmed the loss or theft of 356 devices, including 296 USB drives.
While people will lose devices, we would hope to have seen the numbers decline over time as cybersecurity becomes more established within the public sector.
Patrolling the new ‘edge’ in cyber strategy
Security teams need to rethink their cyber strategy in terms of the nebulous new perimeter that has been created as employees work on a more flexible and peripatetic basis.
Each day, networks, databases and systems are being accessed from myriad locations and myriad devices. In parallel, as in other industries, the IT environment in government bodies is becoming more decentralised. The more that people work out of the office, the less they want to have to depend on IT to get tasks completed. The resulting reduction in contact with the IT team will lead to lower visibility and control over what users do.
The individual employee, and the devices and data they use to carry out their work, are now the ‘edge’. It’s these endpoints that cyber-attackers will have in their sights – and which need to be protected.
Government bodies must bring policy to life
The foundation of this protection must be a set of security policies and procedures that are robust, regularly reviewed and well-rehearsed. These should cover the types and models of devices that are approved by the organisation for work purposes and set out precisely how they are to be used by employees.
Best practice security measures should be laid out step by step – including the basic ‘security hygiene’ that can easily be skipped or forgotten about when someone is distracted or lets their guard down. Policies need to be user-friendly and avoid slowing people down to avoid the likelihood that they’ll find a workaround to win back their productivity.
A comprehensive and ongoing awareness programme will maximise understanding among employees of the risks
A comprehensive and ongoing awareness programme will maximise understanding among employees of the risks associated with the devices they use and the data, applications, tools and systems they access from them. All training should be contextual – tailored specifically to the organisation, its activities, and the threats it faces. Spelling out the consequences of failing to adhere to the policy will help to secure user engagement.
Security policies should be enforced through technology at the endpoint wherever possible to remove the need for the employee to decide; for example, by locking down USB ports so that only those devices approved by policy can be used.
Automated encryption is an essential security component
Humans will always be susceptible to slips in concentration, which could easily result in a smartphone or USB being dropped in the street, for example. This is why the automated encryption of data on all devices as standard is an essential component of security – ensuring that any information held on them will be unintelligible to anyone without the decryption key. All the government bodies questioned by Apricorn confirmed that their missing devices had all been encrypted, which is really positive news.
Hardware encryption generally provides better protection than software encryption, as the keys are held safely in a crypto module that blocks brute-force attacks. At the same time, all cryptographic operations take place on the device itself.
Strengthen supply chain security to avoid data loss
Many public sector organisations rely on a vast and complex ecosystem of third-party providers and contractors to carry out their services. This expands the number of endpoints that are accessing sensitive and confidential data, creating significant risk.
Organisations must work with all of their partners and suppliers to identify and assess these risks and extend device security policies, controls and training to the relevant external teams. Writing requirements into contracts is a good way of making sure third parties are held to account.
The loss or theft of a device that stores or connects to government data could have a devastating impact on any public body and the communities, businesses and individuals it serves. It’s concerning to think that entities which hold so much responsibility, and retain so much confidential and personal information, are still so vulnerable to this kind of event.
Building resilience into the new perimeter created by a disparate workforce and their devices must incorporate policy and best practices, be reinforced with appropriate technology, and be supported by comprehensive education.
Written by Jon Fielding, Managing Director EMEA, Apricorn
