Why the Public Sector?
Cybercrime is one of the fastest growing industries in the world. Millions of attacks descend on organisations of all kinds every year with the most popular targets being organisations with lots of sensitive data and with vulnerable cyber defences. In many cases, that means they are making a beeline for local government organisations and the public sector.
From the UK, to Sweden, Belgium and Ireland – the Public Sector is proving to be a continued target.
In the last five years local councils in the UK were targeted by 100 cyber-attacks. In 2016, the Belgian Government suffered a series of attacks culminating a breach at the Belgian National Bank and in Sweden a data breach of the Swedish Ministry of Transport potentially put sensitive information, driving licenses and information on military vehicles at risk. It was one of the largest data breaches in the country’s history and led to the resignation of two senior Swedish ministers.
The attacks come from all directions and motivations. Some are the traditional black hat operators, seeking to make a quick buck such as the ransomware attack which temporarily affected NHS servers in 2017. Criminals seek to use denial of service attacks to force victims to pay a ransom in order to regain access to their systems. The they are increasingly turning their attention down the ladder towards local government, for example with a hack against the state of Michigan to highlight Flint’s water crisis. Meanwhile, hackers from the group Anonymous tore through official websites of the Philippines government. While Meath County Council lost almost 4.3 million Euros in a business email compromise attack.
Building the defences
Governments need to get serious about cybercrime at every level, from local government and up. This starts with identifying the nature of the problem.
Key attacks continue to be well recognised methods such as:
Ransomware: in which cyber criminals lock you out of your systems and demand a ransom before they will restore service. The local government for the City of Atlanta was subject to such an attack in 2018 and thus far has paid out almost 3 million dollars in clean-up costs.
Malware: A virus which is downloaded onto your system. These often run in the background monitoring activity and stealing data without the user’s knowledge. In 2017, the local government of the German state of Saxony-Anhalt was subject to a vicious malware attack which crippled their computers. It all started when an employee inadvertently opened a malicious email.
Phishing emails: Hackers are developing increasingly sophisticated emails designed to encourage users to reveal passwords or other crucial information.
In addition, cyber criminals are harnessing developing technologies such as crypto-mining, and internet of things (IoT) technology to compromise official systems. Indeed, the more government organisations embrace technology, the more opportunities they offer the criminals.
Defences are improving. Just as criminals are developing new attack vectors, firewalls, encryption and other security measures are becoming more robust.
The human factor
The human factor
It’s a mistake, though, to think of this as a primarily technology related issue because an organisation’s biggest weakness will always have a human face. Time after time surveys show that the biggest threat organisations face will come from within – either from malicious action or basic human error.
For all the technical sophistication of the modern cyber-criminal, he will still often rely on someone making a mistake. The good news from their perspective is that they don’t have to look too hard to find those errors. They happens all the time, whether it’s someone clicking a link they shouldn’t or being fooled into sharing sensitive information. Equally employees losing data or having computing devices containing sensitive data stolen on them continues to be a perennial problem.
Attacks still rely on someone making a mistake – either revealing information through an email or clicking on a suspicious link. The most important tool to protection internal systems, therefore, can be to ensure staff are properly trained.
This starts by developing a comprehensive training program for everyone in the organisation from top level management to top level to the most junior office assistants. They must understand the latest attacks and the ways in which cyber criminals will attempt to breach their defences. They must realise the importance of following security protocols which starts by regularly changing passwords and ensuring they do not fall into the old trap of replicating the same password across all their devices. Employees must also be reminded of the importance of securing portable data.
The stakes are about much more than just the loss of data. The regulatory environment is evolving rapidly to put more pressure on organisations of all kinds on how they use the data they store. Europe’s new General Data Protection Regulations require organisations to take all reasonable measures to safeguard data, ensure they have individuals’ consent and to act promptly when a breach does occur.
The fines have increased dramatically over and above the old Data Protection Act. Under GDPR a serious breach could attract a fine of up to €20million.
The pressure is on, then, from all quarters for government organisations to up their game. The criminals see them as a ripe target, and their systems lack the necessary levels of security. Attacks will be inevitable. Whether they succeed or not will depend on how well equipped an organisation is to fight back.
We offer tailored IT security awareness program for employees of public sector bodies. This includes modules on:
Secure Data Handling
Anti-Phishing / Spear-phishing
Ransomware Prevention Training
Data Protection Training
IT Policy Re-enforcement