You know you’re facing an area of grave concern when experts at the World Economic Forum signpost ‘cyber attack’ as one of the Top Three most probable global risks of 2018. The threat of such an attack has been put up there with extreme weather events and natural disasters as one of the events most likely to cause problems on a worldwide scale this year, observes Paul McEvatt.
For the public sector, the threat is even more acute. Cyber security has stormed its way on to the political agenda recently, as allegations of election tampering, breaches of Government agencies and departments and industrial sabotage have dominated the headlines. Malignant actors have targeted Government and political organisations with forms of sabotage since Government has existed, of course, but the difference is that hacking into a Government body by digital means can be done remotely by an unidentified actor and can happen remarkably quickly.
Government bodies often hold a variety of sensitive information – whether that’s medical data, criminal records or confidential civil service plans – that can be used by others for financial or other forms of gain. For a malignant hacker, the possibilities here are endless and mouth-watering.
The UK’s public sector is fast embracing digital technology. When conducting our own research, we found that 76.7% of public sector organisations said that they were undergoing digital transformation – the highest percentage of any sector we surveyed. This is largely a positive thing, with a view towards making sure Government works more efficiently and delivers better services.
However, the adoption of digital can sometimes create more angles of attack for hackers. In fact, almost half of all civil servants say that cyber security is the biggest operational challenge facing their organisation.
How, then, can Government organisations embrace digital transformation while ensuring that their systems – and, critically, citizens’ data – is kept safe?
Going back to fundamentals
With the public sector fast adopting new ways of doing things in the sphere of IT, it’s important to maintain some of the fundamentals of security. In 2017, the headline-grabbing Petya and WannaCry ransomware outbreaks exploited a vulnerability to software propagation that was known months before the attack. What could have prevented the vulnerability? Patching.
It’s easy to repeat the mantra “Thou shalt patch whenever necessary” from afar, but business reality dictates that this is sometimes not the right move depending on the context. For example, you might choose not to patch a critical vulnerability in a financial system if it’s the day before the end of the financial year for fear of breaking the system.
One of the ways for public sector organisations to mitigate risk is through Cyber Threat Intelligence (CTI). It can function as an early warning mechanism, guiding security professionals on which vulnerabilities are most open to exploitation and should therefore be a patching priority.
CTI is often simply referred to as a threat feed. However, faced with the kind of ‘savvy’ and aggressive attackers that have the audacity to go after public sector organisations, the system shouldn’t just express the severity of the vulnerability as a technical risk. Given the vital work that public sector organisations transact, it should also communicate this risk in financial, business and, indeed, human terms.
At its core, effective CTI provides strategic direction that cuts through the complexity of patch management, subsequently indicating where attention is most needed. For example, a threat advisory that addresses a vulnerability early on can protect an organisation months before hackers begin developing a ransomware variant to take advantage of that vulnerability.
Automating the guard dogs
The public sector is increasingly embracing the power of data. Collecting and analysing large volumes of data about how we live, how our businesses operate and even how the public sector itself runs can be beneficial on several levels. However, with data increasingly shared across departments and regional authorities, this growth in data volumes is also providing more angles of attack for hackers.
Those charged with protecting Government, therefore, face a double quandary – more territory to guard and a more sophisticated foe to defend against. Monitoring these security perimeters is too large a task for traditional technologies that use a manual approach.
Fortunately, there’s an array of automated monitoring services now available, as well as advanced analytics tools. Public sector security professionals can combine these tools with their own capacities for creative and lateral thinking to develop an advanced security monitoring ecosystem.
With Artificial Intelligence (AI) coming into its own, this blended approach will offer a path forward for security monitoring. As AI technologies such as machine learning enable teams to automate the more prosaic elements of security monitoring, this will free up valuable time for analysts to apply their brainpower to the most high-value problems. Moreover, these technologies can augment humans’ analytical capabilities, providing them with a superior overview of the threat landscape as incidents can be automatically enriched.
It’s becoming increasingly apparent to all organisations that a cyber attack occurring is simply a matter of time. This sense of inevitability has renewed attention on how to respond to that eventuality, rather than simply focusing on prevention. Damage limitation is especially vital for public sector organisations, which can rapidly come under political pressure and heavy media scrutiny in the event of a breach. The latter is especially relevant in a post-General Data Protection Regulation world wherein a notifiable breach has to be reported to the Information Commissioner’s Office within 72 hours.
The first step towards developing a rapid response approach to addressing threats is quantifying the speed with which you currently do so. Mean Time To Respond (MTTR) is a key metric for this. Alarmingly, a FireEye study looking at EMEIA organisations found that the average Mean Time To Dwell (MTTD) – ie the time between compromise and detection – was 489 days. This is plenty of time for malignant actors to do significant damage, and shows the importance of optimising for this metric.
Taking the battle to the front lines
Public sector cyber security must be about more than just throwing technology at the problem. The Number One way of compromising an organisation’s security, even today, is still a phishing e-mail with a malware exploit sent directly to an employee. Cyber attackers have a keen understanding of human error and the kind of mistakes ordinary people can make when confronted with an official-looking e-mail.
According to our own recent research, only 51% of public sector organisations are confident that their employees have the right skills to take advantage of new technology. It’s reasonable to assume that these same people will also not have the correct knowledge to ensure that they’re using these new technologies in a secure way.
In fact, upskilling users is one of the most cost-effective ways of reducing the probability of a human error that leads to a cyber attack. For budget-conscious public sector organisations, it’s a good way to bolster the first line of defence. The one-off generic quarter-day on IT isn’t enough – training needs to be adapted to how employees are using their technology and the kind of tools they employ on a regular basis, as well as their seniority.
Confident public sector
The public sector touches almost every facet of life in the UK, from business to education and on to health. It has an admirable ambition to use digital technology to transform how Government functions in this country: a goal which would deliver all kinds of gains to citizens and civil servants alike. It’s vital public sector organisations know that they can embrace the future safely without exposing themselves to malignant actors in cyber space.
A two-pronged approach can help them tackle the risk. By ensuring that their employees understand the risks and use digital tools in a secure way, public sector organisations can make certain that they have a strong first line of defence. Investing in the latest and best of security technology and controls, whether that’s CTI, machine learning-fuelled monitoring or implementing MTTR as a key metric, they can put themselves on the front foot for proactively identifying and managing threats instead of waiting for breaches to happen.
Paul McEvatt is Senior Manager (EMEIA) for Threat and Strategy at Fujitsu