As the threat of cyberattacks continues to grow and the impacts become ever more devastating, Nick Denning, our CEO and veteran of multiple successful digital transformation projects, outlines the strategies which public sector organisations can take to protect against attack and mitigate the effects if cyber criminals do break through.
The Elephant in the Room?
Successful cyberattacks against Public Sector organisations occur regularly and in too many cases are caused by old and vulnerable technologies. Warnings from IT managers were not heeded and resources for necessary upgrades were not found. A recent the ICO notification of a £6m fine resulted from a vendor not enforcing two-factor authentication (TFA). Public sector organisations should follow instructions consistent with commercial best practice. Managers in the public sector need to demand the resources to secure their organisations. Here we explore how best to make the case.
Cyber Security Risk: Where do you start?
Cannot measure? Cannot monitor! Monitoring can establish the level of risk currently faced to justify an investment business case. Mitigation activity and contingency planning reduce the probability and impact of attack. Resulting changes to threats are then read by monitoring tools.
Existing plans for capacity management, business continuity, disaster recovery and data integration, typically have defined strategies, policies and procedures – but they may need review.
Time spent on reconnaissance is seldom wasted. When developing your cyber security defences and responses it is good to begin by taking an inventory of your hardware, software and information assets. Process driven organisations are likely to have defined workflows. Exercise incident management plans by simulating a range of scenarios and recovery strategies to flag up weaknesses and lack of defence in depth.
It is important that your plans are a cost effective and a realistic response to the level of threat. You can build a knowledge base of products and costs and when to use each one. Identifying best practice, particularly in collaboration with similar organisations, and understanding how other organisations protect themselves should help you avoid excessive and unaffordable costs. It is still about people. You should engage them to practice recovery scenarios and incident response, to ensure that any investments deliver the protection required.
When you have enough information, then perform a cyber security risk assessment exercise and run vulnerability assessment tools early to establish vulnerabilities and urgent actions.
Cyber Security: Where to find advice and guidance
Luckily there are many useful bodies and websites where public sector organisations can obtain practical advice and guidance when it comes to cyber security, including:
The UK’s National Cyber Security Centre (NCSC), which has developed Cyber Essentials (CE) policy guidance to help all organisations protect themselves against common cyberattacks. Cyber Essentials aims to provide a structured framework and a continuous process that implements the minimum standards to deflect most cyberattacks.
IASME (Information Assurance for SMEs) is a cyber security certification company which works with a network of more than 900 cyber security experts to help organisations improve and demonstrate their cyber security. IASME is aligned to the UK Government’s 10 Steps to Cyber Security and embraces CE, adding further controls around people and processes to deliver a more robust cyber posture. It also covers General Data Protection Regulation (GDPR) requirements. It is aligned to the much more complex and rigorous ISO27001, but is a good place to start.
The Information Commissioner’s Office (ICO) has valuable advice around data protection and details of when data breaches, which may be the result of cyber attacks, must be reported to the relevant authorities. This information is especially important as the laws across the EU around the resilience of supply chains rapidly evolves over the next few months through the introduction of NIS2 and DORA regulations country by country.
The Government Digital Service (GDS), part of the Department for Science, Innovation and Technology, was established to “make digital government simpler, clearer and faster for everyone”. GDS aims to design and protect the user experience of digital government for all. GOV.UK Verify provides government organisations and services a way to prove citizens are who they say they are, a vital element of cyber security.
Cyber Security: Understand the type and size of the problem
Once you have assembled your knowledge bank it is important to use the relevant information to understand the actual size of your organisation’s cyber security challenge. Take all the potential issues talked about in the internal and external knowledge sources described above and identify whether these apply within your organisation and to what extent.
For example, a certain piece of legislation may require immediate compliance such as protection of the personal data of citizens, service users or employees. Recent data protection issues such as at the Police Service of Northern Ireland, where employee’s safety was compromised, and NHS Dumfries and Galloway, where ransomware criminals stole and dumped around three terabytes of data on the dark web, act as warnings to organisations handling large amounts of sensitive data.
Alternatively, your organisation’s biggest area of vulnerability might come from your supply chain. Many services have been outsourced over the years and there are several recent examples where a cyber security issue at a supplier has led to bigger problems for their customers. For example, in 2023 the Met Police had data exposed when cyber criminals breached the IT systems of a contractor in charge of producing warrant cards and staff passes.
Cyber Security Strategy: Think Big, Act Fast, Do Small
As you build your cyber security strategy it is important to think about the organisation as a whole but then rapidly move to break it down into organisational components. Identify where the worst-case scenarios lie, and focus to see if you can safeguard those areas first. Next look at how you can put in a framework that enables you to monitor the situation you are actually in, on an ongoing basis.
Measure, manage and monitor. You may discover that your situation is not as bad as you thought. Throwing money at a problem may not deliver the outcome. Consider investing wisely to protect the areas of most vulnerability and/or those where attacks would have the biggest impact. If budgets are tight don’t just give up but start small and get funds signed off incrementally so there is always forward momentum.
Cyber Security Threat Solutions: Know when to bring in outside help
Understanding both the internal workings of your organisation AND changing cyber security threat solutions requires a very special skill set and experience. It may be prudent to call on knowledge from external sources to augment or speed up your internal capabilities.
External resources experienced in planning secure infrastructures, practicing incidents and recovering from real ones can be useful to explaining the big picture and justify a cost-effective way forward. They may also provide your organisation a fresh perspective on threats and have the ability to clarify and communicate the key problems. An external person often brings with them the authority to speak out and tell uncomfortable truths which an employee worried about their long-term career path may shy away from. You may also need help to manage the projects which result from a review of your cyber security strategy.
Diegesis has expertise from numerous digital transformation projects looking at how legacy systems function and how they can be evolved to embrace new technologies. We understand the principles of “secure by design” how systems work together and where the vulnerabilities may be. Our sister company, Policy Monitor, offers solutions which will ensure people in your organisation remain aware of cyber threats and what to do about them.