The volume and severity of cyberattacks witnessed since the beginning of the pandemic has dispelled any hope that UK public sector organisations can avoid being targeted. Being resilient to inevitable attacks is, therefore, the only option. At New Statesman and Tech Monitor‘s Public Sector Technology Symposium, leaders from the National Cyber Security Centre (NCSC), the Ministry of Defence (MoD) and the Cabinet Office shared their views and experience of how UK public sector organisations can hone their cybersecurity resilience.
How has the cybersecurity threat evolved during the pandemic?
Cybersecurity has transformed since the start of the pandemic, explained Paul Maddinson, director of national resilience and security at the NCSC. For one thing, the fear and anxiety it provoked created ample opportunity for exploitation. “We saw a huge increase in attempts at fraud using Covid,” Maddinson explained.
Working from home also made people more vulnerable, he added. “Being separated from colleagues and not being able to chat… allowed a lot of fraud to be perpetrated.”
It is not just criminals that spotted an opportunity, however. “We saw nation-states going after the vaccine supply chain,” Maddinson said. “Both nation-states and criminals continue to pose a regular threat to UK networks and the UK government.”
Supply chain attacks – in which attackers compromise a target organisation by infiltrating its suppliers – intensified in the past two years, Maddinson explained. “There’s been supply chain attacks around for years, but actually over the past year or two in the UK in particular… we’ve seen adversaries really exploit them.”
But it was ransomware that dominated the headlines. It is a threat that is unlikely to dissipate in the near future, warned Maddinson, and one that demands public sector organisations to bolster their cybersecurity resilience.
How can UK public sector organisations bolster their cybersecurity resilience?
The WannaCry ransomware outbreak in 2017 was devastating for many affected organisations, including the NHS, but it was also a vital wake-up call for the UK public sector. As a result, many had invested in cybersecurity resilience before the pandemic. “The preparedness from government agencies and other organisations after ‘WannaCry’ in 2017 was a big catalyst to a security-first approach,” explained Romanus Prabhu Raymond, global head of technical support at sponsor ManageEngine, an IT operations and security company, after the panel.
The Ministry of Defence, for example, has developed a set of “playbooks” for responding to ransomware attacks, explained executive director Phil Jones, which it has updated in the past 18 months. “I can’t go into the specifics,” he said, “but it is a big area of focus on a daily basis.”
More broadly, cyber resilience is about getting the basics right, said Jones, so that “should the worst happen and our controls fail, then we can get back up and running really, really quickly.” This includes offline back-ups – these are among the NCSC’s top recommendations, added Maddinson.
Testing is a vital component of cyber resilience. This comes in many forms: last year, for example, the Ministry of Defence ran a bug bounty competition to detect security flaws in its IT systems. “That’s been that’s been really, really successful for us and we intend to do that again,” said Jones.
Another approach is to simulate cyberattacks. The UK government has two frameworks for such simulations, known as GBEST and GCASE, explained Pete Cooper, deputy director for cyber defence at the Cabinet Office. The true value of these, Cooper explained, comes from testing not just an organisation’s technical defences but also the preparedness of its leaders.
“We make sure that we don’t just look at this through a technical lens,” he said. “We’ve got to look at this through both a leadership lens and a policy and strategy lens as well. [I]t can’t just be seen as a tactical issue. It’s got to be seen as owned and driven by the leadership team.”
Employee awareness is another pillar of resilience. The MoD launched a cybersecurity awareness programme shortly before the pandemic, Jones explained, which was “fortuitous timing”. The content of the training is updated on a monthly basis, Jones said, “and we do need to get around 200,000 people so it’s not an insignificant task”.
These initiatives do not have to be siloed from one another. Indeed, involving employees in tabletop simulations, for example, can help to create a workforce that is not just aware of cybersecurity issues but engaged with them, explained ManageEngine’s Raymond. “Having every employee not only trained but involved in the security aspects with tabletop exercises would increase the chances of better defence,” he said. “Employees are not the weakest link – they are the virtual fortress of security.”
Cooper agrees: organisations need to move away from treating employees as the “weakest link” in cybersecurity, he said, and instead develop a culture that provides the tools and information that allow them to be the “strongest link”. To this end, the Cabinet Office is developing a framework to help government departments bolster their cybersecurity culture, Cooper explained.
“Awareness is great,” he said. “But really, when it comes to security, culture is king.”
Homepage image by Mlenny/iStock