In the last 10 years, cybersecurity budgets have increased by 141 per cent, and it’s anticipated that over $124 billion will be spent on information security products and services in 2019. This number is predicted to increase to $133.7 billion in 2022. So, while many private organisations can throw lots of money at the problem, public sector organisations are facing the tough challenge of needing to mitigate cyberthreats, but with shrinking budgets.
Alongside budget challenges, public sector organisations are also working to meet the new standards released last year by the National Cyber Security Centre. The Minimum Cyber Security Standard defines the minimum security measures organisations and agencies must implement with regard to protecting information, technology, and digital services. These include:
- Identifying and cataloguing sensitive information and key operational services
- Putting cybersecurity governance processes in place
- Protecting information and services from unauthorised, unauthenticated users or systems, and exploitation of known vulnerabilities
- Detecting common cyberattacks
- Creating defined, planned, and tested responses to cybersecurity incidents
- Ensuring continuity of key operational services through well-defined and tested processes in the event of a failure or compromise
This is the first technical standard issued and is designed to continually “raise the bar” and address new threats or classes of vulnerabilities that can cause chaos for organisations and constituents alike.
While this is an overall benchmark for organisations, each individual IT team is empowered with the flexibility to implement the standards in the best way for their organisation. They can define essential or sensitive information (as long as it follows the HMG Government Security Classification Policy), decide how best to protect it, and put plans in place to recover should an attack happen, by prioritising what services need to come back online.
Awareness is the first step
In a recent SolarWinds FOI request, 98 per cent of respondents from central government and NHS organisations noted they’re aware of the Minimum Cyber Security Standard, which is positive. However, this awareness doesn’t seem to correlate with as much of an anticipated dip in cyberattacks. While the overall percentage of public sector respondents who experienced a cyberattack in 2018, compared to 2017, decreased (38 per cent experienced no cyberattacks in 2018, while 30 per cent experienced none in 2017), more organisations experienced over 1,000 cyberattacks—18 per cent in 2018 compared to 14 per cent in 2017. Similarly, there could be another risk that the Standard will only be seen as a collection of checkboxes to tick, without thinking further ahead, or customising it to the organisation's needs.
Despite the positivity that can be drawn from the lowered percentages, these figures played out very differently in NHS organisations and central government agencies. Almost three-quarters (74 per cent) of NHS organisations experienced less than 50 cyberattacks in 2018, slightly less than in 2017 (75 per cent). On the other hand, over 80 per cent of central government organisations reported almost the exact opposite by indicating they experienced in excess of 1,000 attacks in 2018, up from 67 per cent in 2017. This suggests that although the most talked about cyberattack in recent memory, WannaCry, cost the NHS £92m and caused 19,000 appointments to be cancelled, central government agencies find themselves under more frequent attack than the NHS.
Defend by going on the offence
Based on the awareness of the applicable standards, it’s obvious government organisations and agencies are working hard to combat cybersecurity threats, although there’s a wide number of constantly evolving attack variants. Among respondents who shared the types of attacks their organisation had experienced, the most common were phishing (95 per cent), malware (86 per cent), and with a large step down to third place, ransomware (54 per cent). Malicious targeted attacks either from an insider or from a foreign government were the least common types of attack experienced, with just 3 per cent of respondents affected. Although obviously, these are just the threats that have been identified successfully.
This pattern of attacks experienced by public sector organisations echoes consumer trends and tabloid headlines that seem riddled with tales of cyberattacks. However, in response to this, public sector organisations are putting the right defences in place, with firewalls (98 per cent), antivirus software (98 per cent), and malware protection (96 per cent) topping the list.
Missing pieces of a great defence
The types of tools in place with high percentages are preventative measures; they’re the walls around the organisation to prevent entry of threats, or at least to mitigate the impact. But there’s also the argument that depending solely on these can mean raising the flag to issues after it’s too late. The survey revealed preventative tools such as log management and network traffic analysis are used by less than 75 per cent of public sector organisations. While not always top of the must-have list, these types of tools can monitor for unexpected activity that could be an early warning sign of a cybersecurity weakness.
All of these tools, of course, depend on having the budget to purchase and maintain them. In the public sector specifically, most respondents indicated that their organisations allocated between £100,001 – £500,000 for their cybersecurity budget. Although this may seem like a large portion of IT spend, the FOI survey also revealed budget constraints to be the second-biggest roadblock to maintaining and improving cybersecurity.
Breaking this down further, budget concerns seem more of an issue for healthcare organisations than for central government agencies, as 68 per cent of NHS trusts and Clinical Commissioning Groups (CCGs) reported budget constraints as an issue, compared to 50 per cent of central government respondents.
Overall, the limiting factors for cybersecurity maintenance and improvement were centred around resources and meeting competing priorities. Rounding out the top four challenges experienced are competing priorities (71 per cent), lack of manpower (59 per cent), and complexity of internal environments (48 per cent). Additionally, outside of just tools, while many organisations seem to have invested in education around cybersecurity, there were still 9 per cent that had not invested in employee training for the whole organisation, and 15 per cent that had not invested in additional training for the IT team.
While it’s clear based on the establishment of the Minimum Cyber Security Standard that the regulatory bodies are taking the matter seriously, it’s now a case of this way of thinking trickling down to each individual organisation or agency and implementing the tools to meet it.
Sascha Giese, Head Geek, SolarWinds