The race to secure an evolving public sector
Public sector organisations are under attack. Between September 2020 and August 2021, approximately 40% of the 777 incidents recorded by the National Cyber Security Centre (NCSC) affected the public sector. Last year a freedom of information request also revealed that local authorities are experiencing an average of 10,000 attempted or successful cyber attacks every single day.
Furthermore, “cybercriminals are becoming more sophisticated with their attacks and their execution [of them],” says Harry Sweetman, solutions architect at Quest Software, which helps organisations solve cybersecurity challenges. “We’re also seeing a rise in state-sponsored attacks, specifically to key infrastructure.”
Phishing attacks – often designed to set up an even more damaging ransomware attack – are still the biggest threat, however. Worryingly, 18 ransomware incidents – including attacks on a supplier to NHS 111 and South Staffordshire Water – required a nationally coordinated response last year.
The fallout from successful attacks can be devastating. Twelve NHS mental health trusts were still unable to access Electronic Patient Records (EPRs) two months after one supply chain attack. In 2020, a cyber attack on Hackney Council also affected multiple services, left key data missing and could cost the council £10 million.
Despite the severity of the cybersecurity threat, and its potential to undermine vital public services, councils, hospitals and other public sector bodies, the sector has struggled to get to grips with it. Only last year, an ITV News investigation revealed hundreds of potential website vulnerabilities and a huge disparity in public sector cybersecurity defence budgets. One UK council was found to be spending just £32,000 a year on cybersecurity; one hospital, an even more minuscule £10,000.
These funding gaps and security vulnerabilities must, of course, be set against the backdrop of constrained budgets and stressed frontline services. “Public sector bodies are very aware of some of the challenges within their organisations,” says Lee Watts, head of public sector UK&I at Quest Software. “Whether they have the ability and influence to change things as fast as they’d like is another matter.”
Boosting resilience at NHS National Services Scotland
NHS National Services Scotland (NSS) is a vital part of the country’s healthcare system. It provides support services and expert advice to NHS Scotland across both clinical areas, such as the safe supply of blood and tissue, and non-clinical areas like essential digital platforms and cybersecurity.
Active directory is the backbone of the NSS ecosystem, and downtime can cost not only money, but lives too. In such a scenario, NSS users that provide critical services to the NHS would lose access not just to on-premises resources but also to cloud systems like Microsoft Teams, OneDrive, email and more. This would prevent NSS from providing shared services like HR and finance, or even enabling blood transfusions for patients.
When another NHS health board suffered an extended outage, the NSS IT team realised their current AD backup and recovery solution was insufficient for such a critical component of the IT infrastructure. “It prompted NSS to really think about the impact of downtime and how that affects nurses, doctors and clinicians,” says Watts. “How they might face difficulties with continuing to do their job while the core identity service was down.”
NSS decided to reduce the risk of downtime by implementing a new AD backup and recovery solution that would enable faster recovery in the event of a catastrophic failure. Ultimately, Quest Recovery Manager was selected to ensure that healthcare professionals would always “have access to the right applications, at the right time, to do their job and ultimately save lives,” says Watts.
With Quest Recovery Manager in place, the IT team can now quickly restore the entire active directory forest in case of disaster, as well as specific objects or properties that were improperly deleted or changed. In total, it also saves the IT team three weeks of work annually by streamlining recovery tasks.
Public sector organisations are also under pressure to digitally transform their processes and services so that they’re fit for modern demands. This means that employees may need to quickly get to grips with new tools and technologies; without proper training, they may fail to grasp how these solutions impact cybersecurity.
At the same time, CISOs and their teams are managing the shift to home and hybrid working kick-started by the pandemic, which has massively increased attack surfaces. “Not only are you having to focus on your on-premise infrastructure, you’re also having to focus on your cloud infrastructure,” says Sweetman.
Criminals often target active directory (AD), which stores account login data and information on other resources within the network. Sweetman describes this as the “beating heart” of the organisation, which must be protected at all costs. “AD has many different paths of attack,” he explains. “It’s weak to misconfigurations and human error, and criminals can leverage this to deliver their attacks fairly covertly.” In fact, even a single improper modification or deletion of an AD object could lead to operational disruption or a security breach.
Thankfully, efforts to address this issue and improve the cyber-resilience of the public sector are increasing. “[Public sector organisations] are definitely moving in the right direction in terms of employing various solutions, such as backup and recovery for AD,” says Sweetman. He advises them to take a “triple layer” approach to AD security – i.e. one that not only addresses the permissions that allow users to interact with objects on the network, but also uses auditing and automation tools to spot unusual activity by a privileged account, for example.
“[You need] tripwires in your environment, and alerting and auditing to let the right people know when things happen,” he explains, adding that if the worst still comes to worst and AD security is compromised, the right backup and recovery strategy “can minimise downtime and therefore the impact.”
Frameworks and funding
In 2022, the government released the Government Cyber Security Strategy: 2022 to 2030, which aims, in part, to create a much more cyber-resilient public sector. It includes a commitment to invest £2.6bn in cyber and legacy IT over the next three years, which should help to address the historic funding gap for public sector cybersecurity measures. £37.8 million of additional funding will also go toward tackling the cybersecurity challenges facing local councils to protect vital services and data, alongside targeted investment in critical departments.
The National Cyber Security Centre’s Cyber Assessment Framework (CAF) is also designed to help public sector bodies asses whether cyber risks to essential functions are being properly managed. Another online self-assessment tool, The Data Security and Protection Toolkit, allows organisations to measure and publish their performance against the National Data Guardian’s ten data security standards.
Despite this progress on funding and frameworks, there is still a serious shortage of cybersecurity expertise within the public sector. However, “the right cybersecurity solutions can help you address this [issue] because they make something that would be complex quite simple,” says Sweetman. In other words, they enable public sector organisations to view cybersecurity through a “single pane of glass” and empower them to take a holistic approach to any issues.
Watts also emphasises how important it is to form a partnership with “a systems integrator or vendor that can really help to deliver a proper full scale, cybersecurity programme aligned to the industry regulations and principles, and the guidelines and frameworks that are out there.”
Integration efforts across NHS organisations and local government offer a further opportunity to address long-standing issues around cybersecurity by consolidating a range of skills. Watts says that such integrations can reduce the number of platforms that cybersecurity teams need to manage, for example, thereby reducing the attack surface.
“The government has realised that there’s a lot of overlapping services between district councils and county councils,” he says. “They’ve got huge amounts of bespoke applications and systems that are used to do similar things – to support child services, for example. And we’re seeing those systems, people, processes and services come together, which is improving how those organisations manage security.”
Ultimately, Sweetman believes “there’s a huge opportunity now for the public sector to get up to speed with modern cybersecurity solutions.” And reassuringly, councils, hospitals and other providers of essential public services are taking notice and starting to move in the right direction. Now they need the right technology to support them, so that the security vulnerabilities that have plagued the public sector can be consigned to the past.
For more information, visit quest.com