Security types love to get their geek on over malware strains — reverse engineering the latest nasty bit of code and cooing enthusiastically over the cleverness of its latest techniques to hide from anti-virus software.
Jargon, meanwhile, abounds: knowing your RDP from your SSH, your VPN from our DNS or MFA from your CVE is important to specialists, but to end-users it’s often meaningless — and as a new report today shows, awareness of even basic terms like “ransomware” remains scant in the public sector.
Such granular research and knowledge are undoubtedly hugely important. Without them there are no solid security tools. But is security industry navel-gazing an obstacle to tackling threats like ransomware, as sector specialists lose sight of glaring security flaws/poor awareness around them?
Or will some sectors just not learn the basic lessons of security hygiene, despite evidence proliferating of what happens when you get caught napping?
No doubt a case could be made for either position, after a new report published today found that of 1,000 public sector staff, nearly half had never even heard of ransomware, let alone two-factor authentication.
(Somewhat more, 75 percent, had heard of phishing. That figure may still be far too low for the likings of many: if 25 percent of your staff are not attuned to the risks of one of the most prolific threat vectors, that’s a problem).
Some 68 percent meanwhile said that there was no dedicated cyber security expert in their organisation. The latter point may be less surprising: at smaller organisations or across the public sector, generalised IT staff are often wearing too many hats to count; one of them being a cybersecurity one in the broadest sense — think VPN support tickets, software patching and password resets.
Yet the research today from data security provider, Reading-based Clearswift, emphasises alarmingly low levels of cybersecurity awareness that are compounded by a lack of training. (Some 32 percent said they are trained once a year or less often; 16 percent never get cybersecurity training).
“The UK public sector has put in place many of the processes required to defend against ransomware and other cyber-attacks,” the company’s Alyn Hockey said. “But recent events have demonstrated a clear need for more cyber vigilance… Communicating clearly about the dangers of ransomware and updating legacy operating systems would be a great start, ahead of a broader look at overall cyber security strategies.”
Among other findings in the report: staff are using personal USB sticks at least once a week (38 percent); checking personal email several times a day (51 percent) and using unauthorised devices at least once a day (33 percent).
With one UK council (Redcar) estimating the repair bill from a ransomware attack in February at between £11 million and £18 million, the case for security investment — including basic training — is a no-brainer.
Brains, like budgets, unfortunately, are likely stretched at the moment. Conversations Computer Business Review has had across both the public and private sector in recent months suggest security staff — where they exist — are widely seen as low-hanging fruit. Few would deny that such cost-cutting moves are a false economy. But some people just won’t be told…
Got a public sector security horror story – or golden best practice case study – you’d like to share? Pop us a line on ed dot targett at cbronline dot com