A change in perspective is needed in the public sector when it comes to cyberattacks. Agencies need to pool knowledge of how to weather attacks, experts told a recent Tech Monitor event. Understanding that an attack is a matter of when, rather than if, should inspire such behaviour as shoring up cyber defences and combing through data in online systems, to ensure that only essential information is internet-facing.
The panel session, Ransomware – developing secure cyber defences for UK institutions, took place as part of the Tech Monitor public sector technology symposium, held on Thursday, 6 October at etc.venues, Fenchurch. A full recording of the panel is available below:
How to protect the public sector against Ransomware
Throughout the public sector, many organisations have been hit by cyberattacks of varying levels of severity. An issue here is that often, in order to save face, institutions will suffer in silence. This siloes all the knowledge they gather combating the attack and cuts them off from any help they could receive from those who have experienced similar attacks before, explained Pete Cooper, deputy director of cyber defence within the Government Security Group, part of the Cabinet Office.
“When people put their hands up and say ‘we’re having a real issue here’, there are so many organisations who will come out of the woodwork to help,” he said. “That comes not just from the government, or the police, or the National Crime Agency, but also from the wider cyber research community.”
Organisations will only be willing to ask for help if the perception of victims changes, says Adrian Warman, head of security policy, awareness, culture and education at the Ministry of Justice Security and Information Group. “It is interesting that the perception of an organisation hit by a ransomware attack is that it has somehow failed,” he said. “But that’s not really the case because ransomware technologies are really smart. They are optimised from the technology point of view and a social point of view. It is very hard to defend against those kinds of precise, expert attacks.”
In order to level up security across the board in the public sector, transparency must be implemented so that companies can pool their knowledge and get help, said Eleanor Fairford, deputy director for incident management at the National Cyber Security Centre. “It is really important to be transparent about what is taking place, not viewing it as a reason to blame an organisation but taking the opportunity to exhibit what you might call ‘responsible victim’ behaviour,” she said.
Fairford caveated her answer by referring to the Optus breach, the catastrophic attack on an Australian telecommunications company, which led to personal information of nearly three million customers being stolen. “[Optus] is really an interesting case study in how not to do your messaging,” she said. “Follow-up attacks took place, as well as secondary fraud. You had random actors claiming to have access to the data trying to extort on the back of it.” This shows that while transparency is key, balance is needed to judge what should be released to the public. “There’s just something about how you manage that messaging, working out what people need to know and where,” she said.
For a larger company like Optus, often there is already a system in place, or some funding available to direct to the issue of a cyber attack. With smaller institutions this is rarely the case, warns Peter Mackenzie, Director of Incident Response at cybersecurity company Sophos. “Our data from this year is saying that small businesses are now the more likely target for ransomware, because they’re the easier target.”
“If you go after a large, multinational company, it will get a lot of press and law enforcement attention, which means a lower chance of getting paid,” continues Mackenzie. “A small business doesn’t have any of that,” which makes them an easier target. As the panel sponsor, Sophos has mentioned that acquiring cyber insurance for a mid sized company is a popular way of remaining protected. “One in four mid-sized organisations have cyber insurance against ransomware,” says a report into ransomware by Sophos.
Preparing the public sector for attacks
Ransomware attacks are becoming so common that organisations must prepare for the worst, but often this is easier said than done. So how can a public sector institution arm itself properly against a growing cyber threat?
One way is to ensure only non-critical data is stored in internet-facing systems, said Fairford. “As we move increasingly into what we might call a ‘data breach age’ it’s the data that is being targeted,” she said. “I think all organisations could do well to have good housekeeping exercises on what they actually hold and what could happen in the event of a data breach.”
Reaching out to departments that often request personal information could be a good starting point, she noted. “Does HR really need your passport details? Do they really need to hold on to them?”.
This information can be used to build data retention policies, Fairford added. “They sound really boring but actually that’s really useful,” she said. If you’re getting rid of the stuff you don’t need and you’re deleting the material that might otherwise be inflammatory, that’s the stuff your attackers are going to target. “I think most organisations aren’t yet thinking in this way.”