How can the public sector manage cyberthreats?
In the wake of last year's WannaCry ransomware attack and a range of high-profile threats since then, PublicTechnology and Trend Micro invited a panel of experts to discuss how the public sector can build resilience and protect itself. Geoffrey Lyons reports.
Imagine you’ve waited nearly a year for open heart surgery. Today's the day: you’ve arrived at the hospital, checked in, conversed nervously with staff. It’s a matter of minutes before you’re due to be put under, when a nurse says the hospital has been hacked. The operation is postponed indefinitely.
That was the unfortunate experience of Patrick Ward, a 47-year-old Dorset local who was directly affected by last year’s WannaCry ransomware attack. The attack, which in December was attributed to North Korea, infected thousands of NHS computers and over 200,000 machines worldwide with a ransom note informing users that their files have been encrypted and they need to pay in Bitcoin to get them back.
While the infection was purged in just a few days, it sparked an ongoing conversation on the threat of cyberattacks to vulnerable institutions like the NHS.
“Organisations like the NHS get attacked so much because they're not there for data security,” says Mike Hulett (pictured below, second from the right), head of operations at the National Cyber Crime Unit, a command of the National Crime Agency. “There’s also 1.1 million NHS emails, so it’s a big attack area."
Hulett’s remarks were made at a panel discussion, hosted by PublicTechnology and cybersecurity company Trend Micro, on cyberthreats and how the public sector can better manage them. While some organisations have the resources to rebound from an attack – Equifax, the consumer credit agency that was breached last year, earns £2.55bn in annual revenue – it’s not yet clear how damaging a cyberattack could be to public sector organisations already struggling to meet citizens’ demands.
And it’s not just a lack of resources that make public sector organisations vulnerable.
Siobhan Coughlan (pictured right, second from the left), cyber security lead at the Local Government Association, emphasises the role played by technology's ever-expanding reach.
“Cybersecurity is the flip side of what we’ve been doing for years by encouraging councils to go digital,” she says. “If you’re an environmental officer with a tablet, then that’s great that you have the tools to do your job. But the more digital tools you have, the more you’re at risk, whether from a hacktivist or just human error.”
While it's the hacktivists that are grabbing the headlines, the threat of human error often goes perilously unnoticed. Daniel Helps, head of fraud operations for the Counter Fraud & Investigation Directorate hosted at Thurrock Council, says many people are fundamentally unaware of the risks they take.
“I was in John Lewis recently and what did I see? A book to write your passwords in,” he says. “Can you imagine if you lost that book?”
Trend Micro’s principal security strategist, Bharat Mistry (pictured below left), says the danger of human error can usually be combatted with basic awareness training.
“A lot of enterprises have programmes but no follow-up," he says. “When you look into some of the attacks we’re seeing, if you don’t have a careful eye then you'll click on the links.”
And Mistry has worked with a lot of organisations where staff have clicked the on dubious links without understanding the consequences.
One, he recalls, has a radical approach to dealing with the problem. After the first instance, you go to awareness training. Following the second occurrence, you speak to your manager.
“And the third time you do it, no email for months,” says Mistry. “If you can keep your user training and user awareness up to date, a lot of your training is done for you.”
The importance of awareness training is especially evident in light of the ubiquity of technology.
“There’s always a cyber element [to a crime],” says Helps of Thurrock Council. “Everyone has access to the internet nowadays.”
“Cyber is the most likely crime to happen,” adds NCA’s Hulett. “Broadly speaking, 50% of all recorded crime in the UK has a cyber element.”
Hulett adds that people tend to underestimate potential threats from the inside. “If your company employs 1,000 people and you say that 90% of those people aren’t a threat, that still leaves 100 people you should be concerned with,” he says. “One of the hardest things for us to track are things like the unauthorised use of a credential.”
The good news is that central government is paying attention. Panelists agree that that the 2016 National Cyber Security Strategy and the creation of the National Cyber Security Centre were significant steps in the right direction.
Asked whether central government fully understands the importance of cybersecurity, Trend Micro’s Mistry says “absolutely”.
“More and more people [in central government] are recognising that if you see a pattern you need to share it, first at a peer-to-peer level and then get it out to the wider public.”
“It’s good that there’s a focal point [with the NCSC],” adds LGA’s Coughlan. “It’s good having that resource, having people who are public facing, and having people who are working with us.”
Coughlan, whose organisation represents all 353 English councils, says central government has developed free tools like Web Check, a vulnerability scanning service, that her association frequently uses.
“It’s a great resource to have,” she says.
Changing the mindset
In their closing remarks, the panellists were asked to offer one thing that organisations can do to better protect themselves from a cyberthreat.
“Get local authorities in the mindset that there’s not a one-size-fits all solution,” says Thurrock’s Helps. “It’s changing the mindset that you can’t just buy an off-the-shelf product and say you’re now protected.”
"Cybersecurity is the flip side of what we’ve been doing for years by encouraging councils to go digital... the more digital tools you have, the more you’re at risk."
Siobhan Coughlan, Local Government Association
Coughlan says that apart from getting everyone to take cybersecurity seriously and build awareness, suppliers need to think more about building cybersecurity into their products.
“At the risk of me trashing an entire community, I think the phrase I’d use is ‘cyber resilience,’” says NCA’s Hulett. “However big you are, it’s going to happen to you at some point. Let’s concentrate on minimising the impact as much as possible.”
“In my view, it’s about making security a part of everyone’s role and having a security champion in all departments,” says Trend Micro’s Mistry. “You need to build security across the organisation, have a champion in each department, and raise awareness.”
John Swinney tells Holyrood conference that most attackers are ‘exploiting the same basic failings’
Representatives of UK, US, Canada, Australia, and New Zealand present a united front to face down cyberthreats
Ben Moody of techUK explains why the new NHS tech organisation has been welcomed by suppliers
National Cyber Security Centre research reveals the most commonly breached passwords