Features: March 9th, 2012

Public sector organisations are holding increasing amounts of sensitive data. At the same time, the sector is increasingly being targeted by cyber criminals. Chris Hardy looks at what can be done to counter the growing cyber threat.

In January of this year PWC launched a report looking at global economic crime, the findings of which may have made difficult reading for the UK’s public sector. In its Global Economic Crime Survey, the respondents from public sector organisations were surveyed from 36 countries, and painted a picture of rising economic crime across all sectors. Perhaps most worrying was the increase in cybercrime indicated by the report, with 14 per cent of respondents claiming that they had suffered some sort of cyber attack over the past 12 months. A further 40 per cent went on to indicate that they believed cybercrime is on the increase, with 28 per cent stating their view that they thought it likely they would suffer an attack within the next year.

On the one hand we have a sector that is increasingly finding itself in the targets of global cyber criminals. On the other, we have a trend towards seeing more and more sensitive data being handed over to public sector organisations. The Government is continuing to invest in shared services as a major platform in its plans to drive efficiencies in public spending, while initiatives such as the Universal Credit scheme are being set up to encourage citizens to interact with local Government via online channels (all a part of the Government’s ‘digital by default’ strategy). The net result is that more data is being stored by the public sector, making it more attractive for enterprising cyber criminals to try and breach their systems.

Need for improved security

So how are the government bodies protecting vital public information against the increasing threats posed to it? According to the PWC report, the results are mixed. While over half of the respondents claiming to have the resources necessary to detect cyber crime, many claimed not to have the ability to fully investigate such threats. The simple fact of the matter is that, if the public sector is to be able to realise the full benefits of moving more data online, they are going to have to improve their current security posture. Each and every data breach leads to a loss of credibility for e-government, and for such services to work the public must have absolute faith in the ability of central and local Government to protect their information.

The UK Government is fully aware of this requirement. It has earmarked a four year budget of £650m to cyber-security, while its UK Cyber Security Strategy and work with the International Cyber Security Protection Alliance (ICSPA) have helped to demonstrate just how seriously the UK government is taking the issue. It is still uncertain how effective these efforts are, however. In our recent cyber security report, Cyber-security: The Vexed Question of Global Rules (produced in partnership with the Security and Defence Agenda), interviewed participants considered the UK as lagging behind some countries like Israel, Sweden and Finland in developing the appropriate defences for cyber security. Taking a more strategic approach to tackling cybercrime and viewing government systems in a holistic manner would go a long way to bolstering defences and improving the UK’s world standing.

Sharing intelligence

The first step is to enable all security systems under the public sector’s remit to be able to share intelligence seamlessly and in as close to real-time as possible. The use of shared services is significantly increasing as a result of new technologies such as cloud computing, and as a result the cyber world has become increasingly integrated. From a public services perspective, and specifically considering the UK’s ‘digital by default’ strategy, that means it is now more important than ever for the citizens to have confidence in these systems. Wherever they are located, systems must be safe as well as functional as it is likely that the information they hold is sensitive and confidential.
The information flow between the Government and local authorities, and local authorities and public services – and between public sector bodies and private sector partners mean that there is a potential network of organisations that can work effectively together to share information on threats as they emerge. The combined approach to intelligence would doubtlessly lead to a much more robust set of defences for all concerned. Put simply, by allowing the security system to share intelligence, any potential attacks can be identified more quickly and knowledge can be shared across multiple systems to build further resilience.

Getting people to think security

Then there is the human element of the security equation. Clearly it is important to ensure your security infrastructure has all the necessary elements in place to protect against threats, but effective detection and investigation of security breaches relies heavily on the analysts within an organisation. One way to improve security is to use financial incentives to encourage teams to get good results. In the UK especially, the pressure on project leaders to meet deadlines on time and in budget is a real focus and providing budget for doing things right can be a good way to ensure no corners are cut. In addition, it may be worth considering measures, such as the cyber security legislation currently in draft in the US, which will formalise the steps companies must take to protect themselves.

Stepping up training

Another way to optimise the human element of a defence strategy is to ensure that there is sufficient training in place. Recent reports such as Shady RAT, and NightDragon demonstrate that hackers aim to exploit social vulnerabilities so effectively combating cyber-security depends on the behaviour of public sector workers as well as the general public. Due to this, education is absolutely vital to ensuring that technology users fully understand how to behave responsibly online. If nothing else, recent advances in technology have permanently changed the younger generation’s concept of privacy; something that many policy makers are yet to fully comprehend.

To address this issue, education should begin at schools and be fully integrated into the school curriculum. Once students graduate, the training should be continued by the public sector organisations and private sector enterprises they join. We are, after all, in a new digital era and with government services increasingly moving online, it is more critical than ever that the right processes are put in place to ensure public sector security long term.

Putting security at the heart of the ICT strategy

The digitisation of public services as well as the sharing of resources across Government bodies and public sector agencies will bring a range of benefits that cannot be overstated. As well as delivering impressive cost savings at a time when such savings are vitally important, the ‘digital by default’ strategy will empower citizens to consume public services and engage with the Government more efficiently and in a manner that suits them. If applied correctly, it could lead to huge time savings for public sector workers and citizens alike and help make the UK’s public services truly fit for purpose.

For this to happen, however, security must be placed at the heart of the Government’s ICT strategy. To ensure that Government build public confidence in its digital services which will, in turn, encourage uptake and help drive down costs. The Government will thereby be able to reallocate the money that is currently used on physical locations and systems to make their digital equivalents more feature rich and compelling than ever.

Chris Hardy is regional director, UK public sector at McAfee.