Protecting government institutions’ data: Who bears the responsibility?

UK security experts were alarmed by the Electoral Commission’s data breach revelation. The incident underscored the need to protect government institutions’ data

As details about the breach emerged over time and the significance of it became apparent, it became increasingly important for a discussion about the management of confidential data stored by the government.

Protecting government institutions’ data

This breach presents a risk to sensitive public data and how it is manipulated for malicious intent, especially where conversations around societal democracy and the integrity of our elections arise.

Institutions like the electoral commission are a data goldmine, holding vast swathes of highly confidential and personal data relating to the public.

This makes them a key target for cybercriminals, either as part of ransomware initiatives or for tailored scams.

Our research identified government bodies as the most impacted by malicious email phishing and having the sixth most detections as part of state-backed cybercriminal activity.

With the ramp-up of activity from state-backed and independent cyber criminals, robust data protection and security controls have never been more vital.

Cybercriminals have been undetected for a long time

As the Electoral Commission, the Information Commissioner’s Office (ICO), and National Cyber Security Commission (NCSC) have continued their investigations, the full scale of the breach has become apparent and quite concerning.

Systems had reportedly been compromised since August 2021, meaning that cybercriminals had been operating undetected for a significant time.

The potential for lateral movement across departments and operational units means threat actors had access to confidential voter data – including personal information and electoral habits.

The value of this data to those who seek to manipulate it maliciously cannot be understated. With the potential for data to be ransomed or sold to cybercriminals or scammers, the risks posed by this breach are stark.

We must toughen up governmental cyber defences

This is not the only incident of note that has impacted the political stage. Some parallels can be drawn to the Cambridge Analytical scandal in 2015.

Cambridge Analytica and Facebook illegally collected and misused confidential personal voter data during election periods, targeting social media users with manipulated advertisements.

From a societal and democratic perspective, these incidents raise questions about the validity and integrity of the UK’s election processes.

Even more recently, the 2022 Conservative Party’s leadership election was delayed due to cybersecurity-related concerns. With this level of uncertainty, incidents like these can be significant in impacting public confidence in the ability of our leaders and governing bodies to protect the public from cyber threats.

More must be done to shore up governmental cyber defences and have a more critical view of our existing security controls – mistakes are made to be learned from, after all.

However, while breaches like this are hard to defend from a procedural standpoint, what the government does next must pave the way towards better control.

Working towards securing our data

With these learnings in mind and the outcomes from any investigations conducted, what can be done to protect government institutions from future breaches – especially data-rich bodies like the Electoral Commission?

As a first step, IT security teams must have a 360-degree understanding the potential attack surface across their systems. This must be tested consistently to ensure flexibility, adaptability, and automation in the detection and response phases.

We must adapt to various cybersecurity systems

Cybersecurity is constantly evolving, with new techniques being utilised by threat actors that could cripple government institutions.

Therefore, ensuring controls are not siloed and mesh well with existing infrastructure is crucial to detecting and responding to emerging threats.

While there is no “one-size-fits-all” to cybersecurity, shifting focus and meeting attackers head-on will enable government organisations to gain the upper hand.

With a top-down, security-minded culture, the ability for threat actors to live under the radar can be limited, and public data can be protected.

This piece was written and provided by Fabien Rech, SVP & GM EMEA at Trellix