Proactive security strategy for the public sector: Part two

In the second article of this two-part series, Sascha Giese, Head Geek^™at SolarWinds, shares the final 5 steps that public sector organisations should adopt in order to form a robust security strategy

Cybersecurity is crucial in today’s digital world. For the public sector, holding some of the most critical data in the U.K. and keeping it safe from all external—and internal—threats is one of their biggest challenges today.

In the first of these two articles, we covered the first five steps public sector organisations should take to change how they think about their cybersecurity to overcome this challenge. So far, we’ve explored: considering risk; tech environment knowledge; effective cyberhygiene; security at every level; and security as a trust-builder. We’ll continue by looking at the final five steps on this journey to build a stronger security strategy.

6. Get to know regulations inside out

New regulations can cause concern in organisations when they’re announced—IT teams may wonder whether they’ll be able to meet these new standards by the time they’re introduced, as they almost always require new processes and sometimes more advanced technology. In 2018 when the General Data Protection Regulation (GDPR) was introduced, many organisations may have struggled to implement the necessary changes required to be compliant.

Yet often, regulations such as these present new opportunities for IT teams who stay ahead of the curve (and present strong benefits for the public, whose data must be protected). Some key thoughts to keep in mind include:

• Realising regulation drives security. With additional requirements from GDPR or other regulations, organisations have been forced to incorporate better security. Meeting the regulations not only gets senior teams to take security seriously, but you also have guidelines to reduce potential data breaches in the future.
• Working in sync with any legal, audit, and compliance teams. In addition to each organisation’s regulatory drivers, there may also be external groups connecting with you for regulatory drivers. These requirements may incur auditing, monitoring, and other reporting responsibilities needing to be implemented (in terms of technology and process).
• Understanding privacy regulations are growing. With GDPR, the scope of privacy regulations has greatly expanded. Now, organisations operating both inside and outside of the EU must comply with the regulation if they come into contact with the personal data of EU citizens. This will likely be a sign of things to come, as we’ve already seen with the California Consumer Privacy Act—we’ll continue to see an expanded scope and greater emphasis on data privacy.

Security regulations are nothing to fear. They improve the security not just of individual organisations, but for everyone in the public sector, making a safer world for the general public.

7. Security knowledge is security power 

The cybersecurity landscape is changing and developing all the time, with many IT teams making the transition from 100% on-premises to relying more and more on the cloud to keep data backed up and easily recoverable. The key is to consistently update your organisation’s knowledge about security—both for internal users and for the wider industry in general. Here are a few key tips:

• Build a knowledge base. Ensure your organisation has the information and skills it needs to properly serve the public. Everyone in your organisation should be trained on the basics—such as the fundamentals of monitoring, access controls, credentials, and proper cyberhygiene. As teams learn how to be good security stewards, they’ll learn to make good decisions (e.g., spotting and avoiding social engineering scams) and be part of the solution when problems arise.
• Keep abreast of current events. Staying ahead of the curve requires much research and reading, and all employees in an organisation should keep on top of this. One of the easiest methods is to skim over daily articles and resources from a few key outlets sharing information on cybersecurity.
• Consider the benefits of certifications. Certifications can help your employees stay on top of the latest trends as well as provide frameworks to tackle cybercriminals. Consider joining ISACA (Information Systems Audit and Control Association) and gaining certifications through this organisation.

8. Prepare employees for the worst

The best security measures involve all employees because no matter what, technology can only get you so far. As cyberattacks become more sophisticated by the day, the systems organisations put into place cannot be expected to match this at a consistent speed, and therefore employees are the next line of defense. This is why it’s important to offer regular security training for your employees. Teaching them good security habits—like changing passwords frequently, using different credentials for each service, and turning on device encryption on any mobile devices—will protect not only your organisation but also them as individuals. Offering sessions on these actions should be regular so all employees are constantly up to date with the latest advice, and can continue to build their knowledge.

It’s also important to send regular security updates to your employees and the general public when needed—for example to patients of a local GP surgery. A simple email warning from your organisation to its employees or the public stating not to open an email when a major attack occurs can save many people from being tricked by a convincing scam.

9. See security as the gateway to more services

Cybersecurity will always be important, and this importance is increasing by the day. But IT teams in particular should be aware their efforts to improve this can also lead them to useful contacts for other services and will benefit the organisation. For example, you could strike up conversations with external experts about layered security, or you could also discuss other possibilities like how to improve network performance or back up key documents if someone accidentally deletes a file. Many third-party security providers will also provide other services as part of their broader portfolio. Given the generally tighter budgets in the public sector, this might be a clever way to get multiple services in a bundle for a reduced price.

10. Don’t tackle cybercriminals alone

The world of cybercriminals is full of connections between different “members” of this community—they swap intelligence and experiences with their fellow criminals to continue to succeed in their cyberattacks. It’s therefore important for organisations to find their own allies in this fight. Whether by connecting with other local organisations, joining professional organisations, going to meetups or conferences, or by reading articles online and sharing them—staying in touch with a larger community of security experts will help everyone stay on the cutting edge in the fight against cyberthreats.

It’s also important to not limit this to cybersecurity communities—attending nearly any gathering for IT professionals can yield benefits. For example, attending a sales training might teach you how to better position security to senior staff in the broader context of IT. It may also help you learn how to position risk better, making representatives more valued and trusted within the organisation to deliver the best advice.

Across this two-part series, we’ve discussed the ten best steps public sector organisations can take to achieve a level of security to keep themselves, their employees, and the general public safe from cyberattacks. For an IT team yet to embark on any of these, it can seem like a daunting amount of processes and activities to complete, but even taking one step on this journey can make a huge difference.