In 2020, organisations across the U.K. public sector should reprioritise their security best practices to help ensure they demonstrate healthy cyberhygiene. For the public sector specifically, it’s important for IT teams to utilise up-to-date cybersecurity knowledge to help prevent, as well as prepare for, the security threats they’ll inevitably face in the current hostile landscape.
To implement this, many public sector organisations will need to prioritise cybersecurity training for everyone, from entry level employees right through to senior leadership—and across every department, not just IT teams. Going back to basics in terms of fostering ongoing cybersecurity awareness is one of the simplest yet most effective ways to help keep an organisation secure. The cyberthreat landscape is ever-changing; therefore, it's vital to ensure employees are continuously aware and informed of their organisation’s latest security postures.
Public sector cybersecurity: the state of affairs
Like every other sector of the connected economy, the public sector is a perennial target for cybercriminals. According to Freedom of Information research published earlier this year, nearly a fifth (18 per cent) of respondents from U.K. public sector organisations reported over 1,000 cyberattacks in 2018 (up from 14 per cent the year before), with over 95 per cent of respondents using firewalls, antivirus, and malware protection.
At the other end of the spectrum, the research also revealed that over a third (38 per cent) of respondents claimed to have experienced no cyberattacks in 2018, compared to 30 per cent who said the same for 2017.
Among respondents who shared the types of attacks their organisation had experienced, the most common were phishing (95 per cent) and malware (86 per cent), and in third place by a significant margin, ransomware (54 per cent). Malicious, targeted attacks either from an insider or a foreign government were the least common type of attack experienced, with just 3 per cent of respondents affected.
This may explain why the most common defences in place were firewalls (98 per cent), antivirus software (98 per cent), and malware protection (96 per cent). However, other critical parts of cybersecurity infrastructure were less pervasive. Under three-quarters of respondents used log management (73 per cent) or network traffic analysis (74 per cent)—both tools which can be useful for monitoring unexpected activity that could be a sign of a cybersecurity weakness.
Everyone is responsible for cybersecurity
Effective cybersecurity is about much more than technology tools. The U.K. public sector has in excess of five million members of staff—as such a large employer, it is much more exposed to the security vulnerabilities caused by security mistakes, inadequate training, and criminal activity from within.
Despite the understandable focus placed on criminal cyberattacks targeting organisations from the outside, employees remain the largest security risk in any organisation. A primary group is careless users—those who accidently reveal information that helps others carry out attacks, much of which is due to lack of awareness about how to minimise risk.
The problem is further exacerbated by today’s bring-your-own-device (BYOD) culture, when employees can easily access and share sensitive information from a range of secured and unsecured devices. To prevent insider breaches—especially accidental ones—internal users must be vigilant. And to be vigilant, they need to know how to behave.
A second group is malicious users who set out to cause harm to the organisation; their motives can vary from those with a grievance against their employer to those driven by financial or ideological reasons. Proactively counteracting this type of insider threat is very challenging, as it’s next to impossible to prepare for every eventuality. The situation is made even worse when it involves more senior people with access to sensitive information—the more access to info, the higher the risk.
External resources, such as public sector advisors, present a third group of potential vulnerability. Even though these people may have limited access to internal resources, they are less controllable than internal employees.
Getting the basics right
Whatever the nature of the threat, organisations that consciously establish an effective foundation of knowledge among their employees are far less likely to become the victim of a cybersecurity breach. If the focus on cybersecurity basics has not been as sharp as it could potentially be, here are some key areas where absolutely everyone should be proficient:
- Password policies: This may seem obvious, but many people still don’t act on the importance of password strength. Users should be reminded to never write passwords down or store them in plain text. Additionally, they should use two-factor authentication (2FA) wherever possible and avoid using passwords across services. When covering passwords and authentication, part of the job involves persuading users why the inconvenience of 2FA or complex passwords matter. They’re small prices to pay for protecting the organisation (and its employees) from data breaches.
- Phishing and social engineering: Users need to learn how to recognise phishing scams and exercise caution around emails or websites that seem suspicious. For example, users should always double check email domains before clicking on links to make sure it really came from a legitimate source. Bad grammar or misspellings are other indicators of risk, and people should always be immediately suspicious if someone asks for their user credentials.
- Device policies: Users should be clear about how to use, secure, and store devices. For example, employees shouldn’t leave their machines unlocked when they leave their desks. Mobile devices should also support remote wipe functions.
- Physical security: Employees should always prevent unknown people from entering the building. In fact, even if they know the person, they should make sure they have their badges (to avoid a disgruntled employee starting a malicious insider attack, for example). Devices shouldn’t be left unattended in unsafe areas (like leaving laptops on the ground while in the airport or sitting in open view in the car). Additionally, sensitive data should never be on display out in the open, such as leaving printed forms sitting on a desk.
Getting those basics right still remains beyond the capabilities of many organisations, public sector included. But, by refocusing on the importance of cybersecurity training, it’s possible to significantly reduce the opportunities given to cybercriminals—and present a stronger security perimeter across the entire organisation.
Sascha Giese, Head Geek, SolarWinds