The public sector needs a fresh lick of cybersecurity paint, writes John Hurst, Public Sector Sales Director, at CyberArk.
Almost two years after its initial introduction, GDPR is still on the tips of everyone’s tongues. European organisations continue to be caught out by poor data governance, storage, and security, and pay a high price for such indiscretions. Regulators have the power to impose a maximum value of over £17million, or a whopping 4pc of total annual worldwide turnover, whichever is higher, meaning a single breach of data can cause serious financial damage. As testament to this damage, recent reports have estimated that to the end of 2019, GDPR fines across Europe have amounted to over £315m.
The media’s attention has largely focused on penalties incurred by private organisations such as Google, which received a £44m fine in January 2019, and Marriott, which was handed a £99.2m fine for a breach dating back to 2018. But public sector organisations have long been a prolific hunting round for hackers. Curiously enough, of all the ICO fines handed out since 2010, 54 percent have actually been levied against public sector bodies. In the UK alone, local councils accounted for 30 fines, with the NHS and Police charting second and third.
Given these bodies are supposed to be amongst our most trusted organisations, the figures are of significant concern. Data breaches in the sector originated from a wide variety of sources, with one resulting from a bizarre incident where Northern Ireland’s Department of Justice auctioned off a filing cabinet containing personal information about victims of a terrorist attack. For the most part, these fines can be attributed to the massive surge in the number of successful cyber-attacks on the sector we’ve seen in recent years. In the last year alone the UK government was subjected to over 600 cyber-attacks, according to figures from the National Cyber Security Centre (NCSC). The most notable recent attack saw Redcar and Cleveland Borough Council resort to offline modes of management for more than a week, having been targeted by a cyber-attack last month.
With the public sector struggling to keep up with GDPR regulations on data privacy and the number of successful cyber-attacks increasing, what are the true costs of poor data security and governance in the public sector? Is the paint beginning to peel on the sector’s current cybersecurity procedures?
GDPR-inflicted fines and the direct practical effects of a cyber-attack, such as having to resort to offline functions, are not the only after-effects organisations should anticipate encountering. A successful cyber-attack, like any infection, results in a plethora of symptoms that can affect a business in immeasurable ways, whether in the private or public sector.
Financial repercussions are the principal cause of concern for most businesses, and not just limited to the high GDPR fine itself. Compensation must be paid to victims of the breach where appropriate, which can prove costly; some reports indicate that an individual can receive as much as £16,000 to cover the damage, and when thousands of accounts are compromised, those numbers quickly add up.
It’s also important to note the financial repercussions of investigating the incident. Investing in IT ‘auditors’ can be expensive and certain situations may even call for a third party to come in and clear up the mess left behind by the attackers.
Regaining the trust of both the public and stakeholders can also be tricky once a breach has been reported in the mainstream media. After all, if data is regularly being leaked and lost by law enforcement, citizens’ trust in governing bodies will erode and rightly so – the public cannot be expected to simply accept the loss. If rapidly evolving threats are left unchecked, and if data security and management are not critically recognised as a priority, massive GDPR fines will be the least of the public sector’s worries.
An improved cybersecurity posture is absolutely essential in the context of these threats, but it can be hard to figure out where to start. As a rule, any proactive cyber security strategy should always begin with regularly identifying and taking steps to protect an organisation’s most critical assets. Government entities, for example, hold and retain access to huge reams of personally identifiable information which requires stringent protection. The conversation shouldn’t end there, however. Attackers are always moving faster than defences, and inevitably hackers will find ways to circumvent defences and infiltrate company systems to access valuable data.
That’s where Privileged Access Management (PAM) comes in. This technology can proactively audit the access and administrative privileges associated with both human and machine user accounts and restrict access to key controls and data only to those who need it within an organisation. In the event of a network breach, this allows organisations to automatically identify and isolate infected areas of a network, ensuring access to vital information and assets elsewhere remains safe, secure, and uninterrupted. Compromised privileged credentials play a central role in almost every major targeted attack, so proactively managing them – and the privileges associated with them – is essential when it comes to protecting public sector systems against the oncoming tide of cyber attackers.
Let’s look at this in the context of a typical attack. Say the target information is held deep within the network, for example. An attacker will likely start by establishing a route into the network via an endpoint (end user device) of the organisation that they are aiming to breach. After gaining initial access and establishing persistence, the attacker will look to escalate privileges associated with this user’s account to gain access to another system that brings them one step closer to their target. From there, the attacker can continue to move laterally until the target is reached, data is stolen, and operations are disrupted – or completely taken over. PAM helps prevent this eventuality by providing security on a user by user basis, where it’s needed most. In the face of an onslaught of cyber-attacks, public sector entities need to establish a proactive, sustainable cybersecurity programme more than ever.
Instead of being overwhelmed, PAM can be used to keep critical data in the right hands. With this in place, the public sector organisations that we rely on in our moments of need – including the institutions to whom we entrust our personal information – stand the best possible chance of remaining reliable and trustworthy.
