More than 100 delegates gathered at our annual event last week to discuss how the public sector can address their biggest security priorities and challenges, and tackle threats head on

Last week marked the ninth annual PublicTechnology Cyber Security Conference.

When the event was first held in the middle of the last decade, the National Cyber Security Centre did not exist, the devastation of the WannaCry ransomware attack was still two years away, the UK had yet to make plans to put its EU membership to a public vote and the founders of OpenAI – the firm behind ChatGPT – were preparing to incorporate a new non-profit tech research entity.

For security professionals, clearly, a lot has changed since then.

For the 100-plus public sector representatives who gathered at our event in London last week – including cyber and digital experts, as well as representatives from policy and operational delivery – there was, clearly, a lot to discuss.

Presentations and interactive sessions during the day addressed issues including how to engage a large and dispersed workforce in security objectives and the growing need to secure supply chains, as well as the best ways to tackle key challenges such as access to skills and the ongoing prevalence of legacy tech.

Here are eight things we learned.

Red teams shine light on password problems

The Ministry of Justice has its own in-house offensive security unit – commonly referred to as a red team – that proactively looks for vulnerabilities and weaknesses before hackers find them.

During the conference’s opening keynote, Amie Alekna, director of security and information at the MoJ, said the team “is certainly one of the first in a government department” and revealed its experts had performed an audit of Windows passwords across the department – and was able to crack 10,000 passwords in under two hours using less than £2,000 worth of computer hardware.

“We have strived to turn detection controls into protection controls. If something is detected a step too late, what you should be doing is protecting it from actually happening in the first place.”

John Keegan, DWP

Security chiefs must tackle the toughest tasks

For red teamers and other security professionals, advising co-workers of the perils of using all-too-easily guessable passwords and reminding them of their other security responsibilities may be mildly awkward for both parties. But, according to Alekna, cyber leaders should be prepared to engage in tricky conversations in order to address to biggest risks and those that may be most deeply rooted in an organisation’s operations.

This is especially true when there is a remit to secure a technology estate – and some of the most sensitive data handled by government – that includes 1,000 separate IT systems, 75% of which are considered legacy.

Alongside the tech itself, MoJ security experts need to provide cyber protection for 80,000 prisoners and 30 separate public bodies, operating from 900 locations around the country and employing 85,000 people. Some of whom may occasionally be asked by their colleagues to address potentially damaging cyber vulnerabilities.

“Sometimes there is a need to call out risk and tackle hard, underlying issues – rather than cherry-pick the easy wins,” Alekna said.

The importance of secure by design

The Central Digital and Data Office is currently working with experts across industries and government departments on defining key principles that government organisations can adopt to implement secure-by-design practices for developing services – which will be mandatory for departments to comply with.

The Cabinet Office-based digital unit will then develop new digital capability, guidance, assurance tools and best practices to support departments in the short and long term to ensure services are made with security embedded throughout the process.

DWP’s drive to develop skills

The public sector’s need for more cyber expertise – and from a wider range of sources – was a recurrent theme throughout the day.

Several speakers cited success stories of how their organisation had developed new talent, or hired budding security professionals from other industries.

One of the newest recruits to the cyber team at the Ministry of Justice – who joined via the civil service’s Fast Stream programme for future government leaders – had previously been a midwife, according to security chief Amie Alekna.

One in four cyber specialists at the Department for Work and Pensions, meanwhile, first joined as an apprentice or via programmes to retrain people from other professions, revealed the DWP’s head of digital security, John Keegan.

IT and OT convergence could heighten risks

The increasing integration of information and operational technologies could cause a large increase in attack surfaces, according to Ricard Fuertes, head of information security operations at Transport for Great Manchester. Fuertes said that, as OT systems become more digitised and connected, they become potential entry points for attackers.

“Organisations now need operational excellence, realism about security limitations, future-proofing, and sharing of resources with other public-sector organisations,” he said.

“Sometimes there is a need to call out risk and tackle hard, underlying issues – rather than cherry-pick the easy wins.”

Amie Alekna, Ministry of Justice

Destroying government’s legacy

A funding package of £2.6bn was provided in the last spending review to help address legacy issues across government. Alongside which, the Central Digital and Data Office announced last year that it was creating a risk framework to help assess the risks of departments’ ageing technology systems. The reference document has enabled the CDDO to identify 153 key assets requiring remediation, conference delegates were told.

The plan is to roll out the framework more widely across the public sector this year to help more organisations identity potential issues.

Securing the supply chain is crucial

Numerous speakers picked out the rising spectre of supply-chain attacks as one of the biggest – and fastest-growing – threats to public sector organisations.

The risks are amplified in a world characterised by geopolitical precarity, where nation states are wont to use cyberattacks as an offensive tool against enemies.

Carla Baker, senior director of government affairs at Palo Alto Networks, said supply chain attacks have gained a lot of attention recently due to vulnerabilities in software supply chains, and that “attacks to suppliers can impact organisations of all sizes and from all sectors”.

The National Cyber Security Centre first published a set of principles for supply chain security in 2018 and, earlier this year, the recently established Department for Science, Innovation and Technology provided resources specifically for local government with a dedicated guidance document “on how to incorporate cyber security considerations into supply chain management lifecycle of their connected places, with a particular focus on the procurement stage”.

The benefits of meeting threats at the edge

The well-worn idiom has it that prevention is better than cure. This ethos can be applied to cyber organisations’ cyber defences, according to DWP security chief John Keegan, who told conference attendees that his team is strives to “protect assets as close to the edge” of departmental networks as possible – rather than just reinforce critical systems within the network.

“We have strived to turn detection controls into protection controls,” he added. “If something is detected a step too late, what you should be doing is protecting it from actually happening in the first place.”