Security incidents and data breaches as a subject have become incredibly wide in scope. Particularly in the public sector, where we have seen the numbers and impact continue to rise.
From single instances such as Watton Town Council being compromised earlier in 2020, where known exploits and lack of patching were exploited. To the hugely impactful and expensive Redcar and Cleveland Borough Council ransomware attack, a type of attack that often, at least initially, involves very little technical infiltration, often Phishing, where a member of staff innocently clicks a link or opens an attachment.
And we can’t forget the infamous WannaCry ransomware attack of 2017 that caused shockwaves throughout the UK. Imperial College London research showed the cost of the attack cost NHS hospitals almost £6 million. The impact in the wider public sector is much larger.
This attack drew attention to cyber security in the public sector. It also showed the weaknesses of organisations against such threats.
To combat this, the Ministry of Housing, Communities and Local Government is working to develop a cyber health framework. This would let councils adopt consistent standards and work at a given level of cyber health.
A common framework means local authorities would benefit from the use of consistent and robust practices, thus improving cyber health. This ‘cyber health’ is important to all organisations. Let’s look into why it’s more crucial than ever.
Why Organisations Need Cyber Health?
Fundamentally cyber health is generally considered an un-quantifiable subject, in that an organisation will never be 100% secure but by focusing efforts on specific objectives and risk appetite it is able to get as close to it as possible.
Types of attack change over time, for example since the mass adoption of remote working, there has been a huge increase in ransomware infections being caused by remote access protocols such as RDP and SSH being exposed to the internet and not being kept patched or having any basic hardening.
Covid-19 has also caused a fundamental shift in the way of working and businesses to need to ensure these shifts are appropriately risk managed. For example, opening Remote Desktop Protocol up on a work machine to the internet may well allow staff to work remotely but RDP as a protocol is not designed with this without further protection, throw into the mix that the last 18 months has been full of Microsoft patching RDP vulnerabilities in RDP, starting with Bluekeep, and the end of life of Windows 7 at the start of 2020 we start to have the perfect storm.
What is the state of Cyber Health in the public sector?
The findings of the Local Digital Collaboration Unit Cyber team show the problems with cyber security.
Cyber standards are in place for different councils, but they’re not all the same and they’re not all equal. This makes it difficult to find common ground or best practices.
The findings uncovered the impact of legacy technology on cyber security postures. That said, an effective framework needs to address culture and leadership as well as technology. After all, cyber health relies on user behaviour as much as the right software.
Staff can’t embed best practices without buy-in from leadership. Avoiding or neutralising cyber risks must inform decision-making at all levels.
Cyber health is the way that the public sector can address these problems on an ongoing basis. Think of the cyber security of the council as being like the immune system. Once it’s working well, it keeps doing its job in the background.
Why Is Cyber Health Important?
There can often be the misconception that technology solves all problems, but the reality is cyber health is a moving target; the shiny box with flashing lights in a data centre may well help with today’s problem but the attackers will simply change tact. A fully considered baseline and accompanying framework must be adopted to realise a good security posture.
Attackers are incredibly responsive and operate as an enterprise; today’s ransomware looks very different because anti-ransomware solutions are improving, which in turn means the attackers innovate and release new types of attacks.
In the public sector, organisations often take a piecemeal approach to security. They generally have to operate with legacy systems and try to plug gaps with newer enterprise programs. These newer applications come with better security measures. Yet they can’t fix the security holes created by such a patchwork of systems.
Combine this unmoderated mass of software with poor user practices. That includes sharing or reusing passwords or accessing systems on unsecured devices, we start to see a number of weaknesses that can be exploited. Moreover, with staff working from home due to COVID-19, organisations must address this issue.
How Would Cyber Health Work in Practice?
Let’s go back to the immune system metaphor. Organisations can’t rely on technology and software to maintain cyber health. That would be like expecting the body to deal with immunity on its own.
People can enjoy a healthy immune system. To do so, they feed the body the right nutrients, get enough exercise, and provide it with enough rest.
This is the same as user behaviour and processes. It’s the combination of ‘right things’ that staff need to do.
The best way to ensure cyber health and safety is to take a similar approach. Tackle people, processes, and technology as important parts of the puzzle. Let’s break those down further to show how they contribute to cyber health.
A system is only as strong as its weakest link. In practice, that can be daily users. It also includes management and its decision-making.
A review of the impact of WannaCry on the NHS found many computers hadn’t been kept up-to-date. No one applied Microsoft patches and firewalls were out of date.
It’s vital that staff use the right knowledge and behaviours around cyber health. Training is a key part of this to make sure they know what good looks like and it also helps to drive the right behaviours. Managers also need to be sure the processes they follow are robust enough to suit their security needs.
Social engineering and phishing make it likely that staff are the biggest system vulnerability. Keeping their training up-to-date gives attackers one less hole to exploit.
Focus on making cyber health part of every job role. Everyone needs to take ownership of cyber security. Managers need to take responsibility for following the right framework.
These processes don’t refer to individual behaviour among staff. Rather, they’re the processes followed by the wider organisation, such as recruitment, acceptable use and procurement.
The cyber health framework helps here since organisations should use consistent processes. Executive governance should also follow processes to make sure staff have access to the right information.
It also means that organisations should be able to procure the technology they need quickly. They should be able to replace a patchwork of systems with products that solve security problems.
There are several elements to technology’s role in an organisation’s cyber health. Having the right cyber standards for technology is critical. This dictates how organisations approach cyber security from a technology perspective.
Here, the framework would provide a ‘trickle-down’ approach. Managers can only meet the standards by having the right technology in place. This makes technology a priority, rather than an afterthought.
Councils should build and maintain their services with security in mind. This bakes security into the service, reducing vulnerability.
That means replacing legacy technology with contemporary alternatives. It also means having robust software that is regularly updated. Installing patches needs to be a mandatory task. Data backup procedures are also important. Keeping a backup of critical data is a way to restore systems if the worst happens.
Cyber Health Checks
Cyber health covers a broad range of areas so organisations need a robust cyber health check. It includes GDPR compliance since keeping data safe is a legal requirement.
Non-compliance can even cost an organisation 4% of its annual turnover. Checks would make sure sensitive data was safe from exploitation, deletion, or ransom.
Fundamentally we need to remember to get the basics right to reduce the likelihood of any exposure. This includes not operating unsupported devices unless they are fully known, and the risk managed.
Staff training should also be checked. Is it robust enough to make sure the staff know their responsibilities? Does it provide enough knowledge to allow staff to follow cyber best practices at all times? Don’t just assume because they sign a declaration saying they understand when they first join or even annually, they understand cyber security. Have a continuous education program where they are kept up to date with emerging threats that affect them, Endpoint updates and phishing for example.
Finally, checks should ensure include both servers and endpoints patches are applied as soon as possible, balancing Availability and Confidentiality is always a challenge so review the patches and understand the risks.
Good Cyber Health Means Peace of Mind
Improving cyber health isn’t just a nice idea for the future. It also can’t be something organisations only consider when they have a bigger budget or an immediate problem to deal with.
Improving cyber health and passing a check when they have nothing to worry about saves organisations from technical headaches down the line. It also means organisations can guarantee the safety of the sensitive data they hold.
Cyber health should be a priority for every organisation.
Contact us today to find out how we can help.”