Gearing up the public sector’s cybersecurity management

John Hurst, Public Sector Sales Director, CyberArk, discusses why the public sector is in dire need to gear up its cybersecurity management

The introduction of GDPR four years ago was aimed at all organisations to account for their data governance policies. The regulation empowered European regulators to impose fines of up to £17 million, or a whopping 4% of total annual worldwide turnover, whichever is higher. A single breach, originating from a single mistake or misjudgement, can result in significant levels of damage to an organisation. Recent reports have even estimated that, since GDPR’s introduction, fines have now amounted to over £430 million.

The media’s attention has largely focused on penalties incurred by private organisations such as Google, which received a £44 million fine in January 2019, and Marriott, which was handed a £99.2million fine for a breach dating back to 2018. But public sector organisations have long been a prolific hunting ground for hackers. Curiously enough, of all the ICO fines handed out since 2010, 54% have actually been levied against public sector bodies. In the UK alone, local councils accounted for 30 fines, with the NHS and Police charting second and third.

Given these bodies are supposed to be amongst our most trusted organisations, the figures are of significant concern. Data breaches in the sector originated from a wide variety of sources, with one resulting from a bizarre incident where Northern Ireland’s Department of Justice auctioned off a filing cabinet containing personal information about victims of a terrorist attack. For the most part, these fines can be attributed to the massive surge in the number of successful cyber-attacks on the sector we’ve seen in recent years. In the last year alone the UK government was subjected to over 600 cyber-attacks, according to figures from the National Cyber Security Centre (NCSC). The most notable recent attack saw Redcar and Cleveland Borough Council resort to offline modes of management for more than a week, having been targeted by a cyber-attack last month.

With the public sector struggling to keep up with GDPR regulations on data privacy and the number of successful cyber-attacks increasing, what are the true costs of poor data security and governance in the public sector? Are the public sector’s cybersecurity measures struggling to keep organisations above the surface in an oncoming tide of threats?

Fines as the tip of the iceberg

GDPR-inflicted fines and the direct practical effects of a cyber-attack, such as having to resort to offline functions, are not the only after-effects organisations should anticipate encountering. A successful cyber-attack, like any infection, results in a plethora of symptoms that can affect a business in immeasurable ways, whether in the private or public sector.

The nature of GDPR draws most attention towards the financial implications of a data breach, when in fact the fine itself is merely the first wave of impact in such a scenario. Compensation must be paid to victims of the breach where appropriate, which can prove costly; some reports indicate that an individual can receive as much as £16,000 to cover the damage, and when thousands of accounts are compromised, those numbers quickly add up.

It’s also important to note the financial repercussions of investigating the incident. Investing in IT ‘auditors’ can be expensive and certain situations may even call for a third party to come in and clear up the mess left behind by the attackers.

Regaining the trust of both the public and stakeholders can also be tricky once a breach has been reported in the mainstream media. After all, if data is regularly being leaked and lost by law enforcement, citizens’ trust in governing bodies will erode and rightly so – the public cannot be expected to simply accept the loss. If rapidly evolving threats are left unchecked, and if data security and management are not critically recognised as a priority, massive GDPR fines will be the least of the public sector’s worries.

Staying afloat with cybersecurity

An improved cybersecurity posture is absolutely essential in the context of these threats, but it can be hard to figure out where to start. As a rule, any proactive cybersecurity strategy should always begin with regularly identifying and taking steps to protect an organisation’s most critical assets. Government entities, for example, hold and retain access to huge reams of personally identifiable information which requires stringent protection.

Locating and identifying critical assets is, unfortunately, not enough to defend against agile attackers who are learning to move faster by the day. Hackers will, like it or not, inevitably breach the first wall of defence in a system.

That’s where Privileged Access Management (PAM) comes in. This technology can proactively audit the access and administrative privileges associated with both human and machine user accounts and restrict access to key controls and data only to those who need it within an organisation. In the event of a network breach, this allows organisations to automatically identify and isolate infected areas of a network, ensuring access to vital information and assets elsewhere remains safe, secure, and uninterrupted. Compromised privileged credentials play a central role in almost every major targeted attack, so proactively managing them – and the privileges associated with them – is essential when it comes to protecting public sector systems against an oncoming tide of cyber-attackers.

Let’s look at this in the context of a typical attack. Say the target information is held deep within the network, an attacker will likely start by establishing a route into the network via an endpoint (end-user device) of the organisation that they are aiming to breach. After gaining initial access and establishing persistence, the attacker will look to escalate privileges associated with this user’s account to gain access to another system that brings them one step closer to their target. From there, the attacker can continue to move laterally until the target is reached, data is stolen, and operations are disrupted – or completely taken over. PAM helps prevent this eventuality by providing security on a user-by-user basis, where it’s needed most. In the face of an onslaught of cyber-attacks, public sector entities need to establish a proactive and sustainable cybersecurity programme more than ever.

With the right measures and protocols in place, the damage caused by successful cyber-attacks can be limited to the area immediately penetrated, and critical assets and functions can remain protected. By doing this, public sector organisations will stand the best chance of retaining their positions as the public’s most trusted institutions. Cyber-attacks might seem to be amassing into insurmountable waves that are impossible to deal with, but taking the right steps when approaching those waves increases an organisations’ chances of keeping their heads above water.