Government IT professionals discuss how to ensure they remain protected
Regular and personalised education sessions for staff are important, public sector IT professionals said
“Joiners, movers, and leavers.”
“Third-party applications accessing the network.”
“Bring your own device.”
“Clicking the link.”
These were the first answers offered by a roomful of public-sector technology professionals when asked to name the foremost security challenges they currently face. Terms such as “ransomware”, “DDoS”, and “zero-day vulnerability” are conspicuous by their absence.
- Political upheaval, Blockchain and data protection: What does 2017 have in store for tech?
- Cyber security centre tells government domain owners to up email security settings
- National Cyber Security Centre to publish rankings for departmental email security
But one theme does clearly emerge: human error.
Time and again, stories were told of how the biggest threat to a typical government organisation was not nation-state attacks or global gangs of cybercriminals. It was employees’ carelessly putting a photo on Facebook, using their tablet to access sensitive information, or being taken in by an eye-catching email.
While the number and variety of computing devices continue to diversify and proliferate, and the threat landscape grows more sophisticated and sinister, an organisation’s people are invariably its biggest attack surface. Nowhere is this truer than in the UK public sector, which employs upwards of 5.4 million people – more than one in six of the country’s overall workforce.
Which is a pretty big target to aim at.
Graham Wakerley, founder of security consultancy Missing the Linq, chaired the discussion, which took place at the recent Cyber Security Summit, hosted by PublicTechnology parent company Dods.
“When I talk to organisations about penetration testing I do not just want them to look at their technology – it is not a tech problem,” he said. “Tech is important, but it is about individuals. It is important that you do social engineering. You have to help each other, and you have to make [the security risks] real for staff.”
The public sector IT professionals in attendance opined that regular education sessions to remind staff of protocols and best practise are imperative for effective IT security.
Several noted that it is particularly important to ensure that senior management figures stay up to date, as they not only set the tone for the organisation but also (whisper it) can be among the worst offenders in terms of taking a lax approach to security.
Thomas Coles, chief executive of insurance software firm Risk Solved, said that an even bigger threat is on the way for government CIOs: millennials. Young people who have grown up in a culture that has normalised the sharing of every detail of your life, and happily swapping privacy for utility, will be a major headache for IT security professionals, he said.
“In 20 years’ time they will be in the C-suite. And they actively do not care [about sharing their data],” Coles said. “At the moment, senior management probably do care – but they are just a bit naïve.”
More targeted education exercises are necessary, attendees said. A senior technology leader at one London borough shared the story of how his organisation had developed a portal to offer employees personalised training based on their job function and responsibilities.
Wakerley concluded that “most threats happen within an organisation”. With the continued rise of mobile computing platforms and the Internet of Things, technology will continue to play a bigger and bigger role in all of our lives, he said, so it is crucial that the people using it do so with prudence and vigilance.
He said: “I have been a CIO, CTO, and IT director. I have been in the room being told that ‘information security is an IT issue’. Well, no – it isn’t. It is a people issue, and a policy issue.