Public sector organisations have been subjected to a barrage of cyberattacks since the start of the pandemic, with opportunistic criminals exploiting the disruption to steal data and inject ransomware. Meanwhile, the civil service is undergoing a once-in-a-lifetime shift in working practices, with hybrid working emerging as the preferred option for many organisations and their staff.
How can the UK public sector maintain security at a time of both high risk and rapid change? This was the subject of a recent roundtable convened by Tech Monitor and supported by AMD, where senior cybersecurity decision makers shared their experience, challenges and ambitions.
Enabling hybrid working in the public sector
Working from home is the new normal, a security manager for an NHS Trust noted, with 75% of its employees working this way every day. “We’re even looking at allowing staff to work offshore,” they explained. “How do we support our staff doing what they want to do, and maintain security while we’re doing it? We don’t want security to be a hindrance, but we need it to be in place.”
One security risk that intensified during the pandemic is phishing. Another attendee from the NHS reported that between summer and autumn 2020, it had to block 160,000 new phishing sites dedicated to targeting staff and those using its systems. This calls for heightened awareness among employees to ensure they don’t fall victim to phishing attempts, including spear-phishing attacks against senior members of staff.
However, hybrid working may mean employees are less alert: many will be on back-to-back Zoom calls while reading email and trying to navigate the distractions of home life. The risk of clicking on the wrong link is much greater in such instances, delegates agreed, so training and education are just as important as technological solutions.
Other delegates explained how the widespread shift to home working has made the task of securing employee devices more complex. “Where people haven’t secured their routers, haven’t updated their firmware, they’ve got Internet of Things cameras and devices which could act as a conduit into different networks … those things were a bit of a challenge.”
Given the sensitivity of the data they handle, some public sector organisations have been cautious in how they enable hybrid working. “We’ve limited the use of [bring your own device] across a large portion of the workforce,” explained the IT specialist from an organisation that manages critical national infrastructure. “We need to be overly cautious to make sure that nothing awry goes on.”
At the same time, delegates agreed, cybersecurity must fit with the way people work. It can’t hinder them or get in their way – or people will find workarounds, and that can be more dangerous. One way around this is focusing on security-by-design, building security into every system and process, which makes security more seamless for the user.
Cybersecurity challenges of the UK public sector
Hiring cybersecurity professionals amid a nationwide skills gap is a common headache for public sector organisations. “Hiring at the right salary level is a big problem we’ve got,” said a cybersecurity executive at a small local government organisation – not least because the typical salary for some cybersecurity roles can outstrip those of senior politicians.
This calls for simple and well-defined career pathways for cybersecurity professionals in the public sector, some delegates agreed, so that talent from all backgrounds can join the workforce.
Another emerging area of focus is the supply chain. Although not new, supply chain attacks – in which criminals target an organisation’s suppliers to sidestep their defences – have intensified in recent years. Mitigating this risk requires procurement processes that not only ask suppliers about their cybersecurity precautions but also test them. One delegate shared that their organisation provides security guidance to smaller suppliers on whose services it depends.
Ultimately, managing the cyber threat in the public sector is as much a cultural or a ‘people’ issue as a technological one. Every organisation must decide their culture – how it wants to work, and to access and share data. This will be key to effectively mitigating their organisation against the ongoing threat of cyberattacks.
As Lee-Martin King, the delegate from roundtable sponsor AMD, pointed out: “We could bring the best security technology to market that wouldn’t make a blind bit of difference if it wasn’t properly utilised and deployed.”