Recent reports have unveiled the true cost of poor data governance and management by organisations in Europe in the post GDPR-era. As of March 2020, fines for non-compliance have reportedly amounted to over £430 million since its introduction. These high fines are because when the legislation is breached, businesses can be fined a maximum value of over £17million, or a whopping 4 per cent of their total annual worldwide turnover (whichever is higher) by regulatory commissions. Despite two years having passed since it came into effect, European organisations continue to be caught out for poor data governance, storage, and security.
Media attention has focused predominantly on penalties incurred by international conglomerates such as Google, which received a £44million fine in January 2019, and Marriott, which was served with a £99.2million fine for a breach that occurred back in 2018. Sometimes overlooked, though, is that public sector bodies have long been the target of attention for cybercriminals around the world, even prior to the advent of GDPR. Of all the ICO fines handed out since 2010, 54 per cent have actually been levied against organisations from the sector. In the UK alone, local councils accounted for 30 fines, with the NHS and Police charting second and third.
These numbers should cause significant concern to both the public and the organisations, primarily because public sector organisations are supposed to be more trustworthy, reliable, and accountable than their private counterparts. Data breaches in the sector originated from a wide variety of sources, with one resulting from an extraordinary incident where Northern Ireland’s Department of Justice auctioned off a filing cabinet containing personal information about victims of a terrorist attack. These fines go hand-in-hand with a significant rise in the number of cyberattacks over the last year. In 2019 alone the UK government was subjected to over 600 cyberattacks, according to figures from the National Cyber Security Centre (NCSC). The most notable recent attack saw Redcar and Cleveland Borough Council resort to offline modes of management for over a week, having been targeted by a cyber-attack last month.
With cyberattacks on the up and public sector bodies struggling to prevent the loss of data, what are the real costs of poor data security and management on the public sector? Are cracks beginning to form in its security infrastructure?
Small cracks with big consequences
A crack in cybersecurity infrastructure almost always leads to something far more concerning than data leakage. The fallout from a successful cyberattack extends far beyond resorting to offline functions and paying a fine. Left unaddressed. there are myriad ways in which an organisation can be impacted by a lack of security practices, regardless of which sector it operates in.
Financial repercussions are the principal cause of concern for most businesses, and not just limited to the high GDPR fine itself. Compensation must be paid to victims of the breach where appropriate, which can prove costly; some reports indicate that an individual can receive as much as £16,000 to cover the damage, and when thousands of accounts are compromised, those numbers quickly add up.
The investigation of incidents brings its own financial repercussions. Data breach scenarios might contract IT ‘auditors’ to take care of the situation, much in the same way as construction firms might bring in auditors when an accident occurs on site to assess and log the incident, for example. A third-party IT team may even need to come onto the premises and deal with the aftermath of the cyberattack, which is expensive.
Regaining the trust of both the public and stakeholders can also be tricky once a breach has been reported in the mainstream media. If data is regularly being leaked and lost by, for instance, law enforcement, citizens’ trust in this public body will erode and rightly so – the public cannot be expected to simply accept the loss. If rapidly evolving threats are left unchecked, and if data security and management are not critically recognised as a priority, massive GDPR fines will be the least of the public sector’s worries.
Assessing your cybersecurity situation
When facing a plethora of advanced threats, it can often prove daunting to choose the best approach to shoring up critical systems. As a rule of thumb, proactive cybersecurity strategy should always look to identify, and then protect, the organisation’s most critical assets. Public sector bodies, for example, hold access to reams of personally identifiable information, requiring stringent protection.
The conversation shouldn’t end there. Attackers always move faster than defences, and inevitably hackers will find ways to circumvent defences and infiltrate company systems to access valuable data.
That’s where Privileged Access Management (PAM) comes in. This technology can proactively audit the access and administrative privileges associated with both human and machine user accounts and restrict access to key controls and data only to those who need it within an organisation. In the event of a network breach, this allows organisations to automatically identify and isolate infected areas of a network, ensuring access to vital information and assets elsewhere remains safe, secure, and uninterrupted. Compromised privileged credentials play a central role in almost every major targeted attack, so proactively managing them - and the privileges associated with them - is essential when it comes to protecting public sector systems against the oncoming tide of cyberattackers.
Let’s look at this in the context of a typical attack. Say the target information is held deep within the network, for example. An attacker will likely start by establishing a route into the network via an endpoint (end user device) of the organisation that they are aiming to breach. After gaining initial access and establishing persistence, the attacker will look to escalate privileges associated with this user’s account to gain access to another system that brings them one step closer to their target. From there, the attacker can continue to move laterally until the target is reached, data is stolen, and operations are disrupted – or completely taken over. PAM helps prevent this eventuality by providing security on a user by user basis, where it’s needed most. In the face of an onslaught of cyberattacks, public sector entities need to establish a proactive, sustainable cybersecurity programme more than ever.
Ultimately, the use of PAM can ease the pressure on public sector bodies and ensure critical data remains in the right hands. In moments of public need, such as the present climate, robust cybersecurity is essential to help bodies retain trust, credibility and reliability, even as attackers continue to enhance their capabilities.
John Hurst, Public Sector Sales Director, CyberArk