by John Price, Head of Public Sector at Check Point Software UK&I
There’s nothing quite like a global pandemic with legally enforceable lockdowns to expose a demographic’s dependence on digital infrastructure. While the devastating SolarWinds breach in late 2020 made headlines around the world for its impact on corporations like Cisco and Microsoft and their thousands of customer organisations, the bad actors involved would have likely seen the private businesses impacted as collateral damage in pursuit of a much more lucrative target – the public sector.
The wheels of government have a reputation for turning slowly. Many governments, including the UK, are seen as overstretched, under-resourced in their response to potentially devastating cyber incidents. Take the WannaCry attack, for instance, which brought the NHS to a virtual standstill in 2017 because of unpatched and outdated software which took months to rectify. The government even had a £5.5 million deal in place with Microsoft to maintain support for the nearly two-decade-old Windows XP operating system long after it had fallen into obsolescence, which many would argue was an incident waiting to happen.
According to research from Check Point Software, there are 378 cyberattacks a week in the UK and government organisations have become the third most targeted sector by cyber criminals over the past six months, ahead of finance, banking, manufacturing and healthcare. Threats such as triple extortion ransomware and supply chain attacks are on the rise, with malware such as Trickbot, Dridex, Qbot and IcedID surfacing more frequently, as outlined in Check Point’s Cyber Attack Trends: 2021 Mid-Year Report.
Any hopes that lessons may have been learned from this breach have been dashed this year as the widely reported Microsoft Exchange hack continues to cause problems within the public sector. Despite the vulnerabilities being identified in January 2021, with patches circulating as early as March, more than 50% of MS Exchange servers in the UK remain vulnerable at the time of writing, including those on the British government’s ‘gov.uk’ domain. The public sector is, regrettably, a relatively easy target, but is it a lucrative one? Why are we seeing an increased number of bad actors targeting the public sector as we navigate our way through a global pandemic? As is often the case when it comes to malicious cyber actors, it’s a question of following the money.
What’s your data worth?
Data has value. It can therefore be extorted or sold on for profit. If a group of bad actors were to steal thousands of people’s credit card details by hacking into a private organisation such as a bank or online retailer, they’d fetch around £15 per record if auctioned off on the dark web. If, however, the same group were to attack an NHS trust and steal medical records, their potential profit would soar and net them more than £350 per record. And that’s not even taking into account the amount they could extort from the targeted trusts themselves. This isn’t helped by the fact that public sector organisations are often comprised of siloed data behemoths, so if a malicious actor is able to exploit a gap in their defences, the ‘pay-outs’ are often huge. As seen in the case of the MS Exchange and WannaCry incidents outlined above, responses to breaches in the public sector are often incredibly slow and poorly orchestrated, giving cybercriminals an even larger time window in which to exploit their targets.
Think resourcing, not outsourcing
Unlike in the commercial world, public sector organisations aren’t profit-driven and can’t easily justify the increased IT spend as a mere preventative measure. A year after the WannaCry attack, the government agreed a £150 million deal with Microsoft to equip all NHS computers with the latest Windows 10 operating system and ensure that all security settings were up to date. This is all well and good, but it took a catastrophic breach that put individuals’ medical records at risk to get budget approval. The public sector is, almost by definition, reactive instead of proactive when it comes to digital transformation. It’s there to serve, not to profit, and this leaves it vulnerable by default.
Part of that vulnerability is no doubt due to loss of control through third-party outsourcing. On the face of it, the cyber capabilities of the public sector and its employees are stronger than some of these incidents might suggest. According to the government’s annual report ‘Cyber security skills in the UK labour market 2021’, the public sector is actually surprisingly confident when it comes to performing advanced cyber security tasks. While a quarter of all businesses say they aren’t confident when it comes to penetration testing, for instance, more than 80% of public sector organisations are more than confident in their testing abilities. Similarly, 1 in 10 of all businesses say they lack confidence when it comes to user monitoring, but no public sector organisations report any such issue.
It’s only when we read further into the report, we start to see the real problems emerge. A quarter of public sector organisations have just one staff member responsible for cybersecurity and the percentage of public sector organisations outsourcing basic security functions such as firewalls, user privileges and backing up data, for instance, far outweighs that of the private sector. More than 95% of all public sector organisations outsource their firewall configurations to a third party; more than 80% rely exclusively on third parties when it comes to incident response and recovery; and almost half (48%) even outsource the control of internal user admin rights which, unless they have a very close relationship with their third-party IT partner, could have devastating security repercussions. So while the public sector might be confident in its cyber capabilities, that confidence might be ill-placed.
Good money after bad
In case you haven’t spotted it, the common theme here is a lack of internal resource and control. The technology is available, but only if the public sector is willing to continue putting up with the ‘technology debt’ it’s accruing through its overdependence on outdated internal tech and external cybersecurity solutions. According to a recent cabinet office report, keeping outdated computers going is costing the government roughly £2.3 billion per year, which is almost the same as the US government’s entire cybersecurity budget for 2021.
With a threat landscape that’s currently outpacing many private organisations’ capabilities, governments need to start thinking very carefully about their cyber security budgets, how much of their security solutions are outsourced, and how they can increase their risk posture in 2021 and beyond without continuing to throw good money after bad.
Check Point Software recently hosted a webinar entitled: “The State of Cybersecurity: Public Sector 2021” with experts from the field of cyber security in the public sector. To access the webinar on demand visit: www.brighttalk.com/webcast/16731/504417
Recent Comments