The pandemic has shifted the perimeters of public sector networks and created new demands for resilience, writes Emma Velle, cybersecurity specialist for NHS and local government at Cisco
As the digital landscape for the public sector has shifted during the Covid-19 pandemic, so has that for cyber security.
Organisations have achieved a major shift to remote working and stepped up their use of cloud services, and while this has produced operational benefits in the face of the crisis it has also stretched the cyber capabilities of most and made many more vulnerable to attack.
There have been reported breaches of public sector defences, including those of Newcastle University, the Nova Schools Trust and Hackney Council.
Some of the key factors have become more visible over the past year of pandemic, along with the need to have a firm knowledge of the location and purpose of an organisation’s data as a foundation of the response.
This derives from the way the rise of remote working and use of cloud has increased the lateral movement of data, and therefore connectivity of digital systems, inside organisations. This has increased the number of points of potential vulnerability, especially in cases where the spread of home working has involved many people using their own devices.
Defence in segmentation
One result of this has been a widespread recognition that it is no longer enough to simply ensure that everything is behind a firewall. Defending effectively against attack requires the segmentation of systems, so that if one or more shows signs of suspicious activity they can be quickly sealed off to protect the rest of the network. This requires a strong grasp of what data resides where, who has access to it and why, with a strong policy to change the controls in an emergency.
It also requires proper security controls for the exchange of data and access to cloud systems. While the hyperscale cloud providers have made big advances in security, an organisation still has a responsibility for its own data and needs to ensure localised security controls are in place to ensure protection.
This is accompanied by the need to beware of intrusions from outside, often through phishing attacks and the use of compromised credentials. A key element of defence is to have privileged access controls to systems in place, reducing the number of possible intrusion points, and there is a growing momentum for the creation of ‘zero trust’ policies, which demand strong verification for any kind of access. This reduces the risks but places extra challenges on identity and device management, and needs to be continually updated as people and processes change.
More complexity
Dealing with both elements has become more complex, with remote working and the move to cloud greatly increasing the number of touchpoints between data, services and applications, and with the continuing dependence on legacy systems in many organisations. Some of these have been in place for 10-20 years, having been designed at a time when the demands of cyber security were different, and their integration within crucial processes makes the segmentation more difficult.
Again, knowing the data is a first step towards dealing with this, and some organisations have found that their work on data protection – often from audits to comply with the General Data Protection Regulation – has helped to build information asset registers and provided valuable insights for their cyber policies. It can also be valuable in the event of a breach, helping an organisation to identify data that could have been affected and begin to assess its steps for recovery and future protection.
There are other important steps. One is to ensure that penetration testing is carried out by people from outside the organisation, who can approach it with a different perspective and unaffected by any internal assumptions about levels of security or ways into a network.
Another is to draw on the services of peer networks such as the warning, advice and reporting points (WARPs) to share information on threats and vulnerabilities in monitoring activity. Many local authorities have testified to their effectiveness and they have received support from the National Cyber Security Centre and Ministry for Housing, Communities and Local Government.
Three key steps
Three measures can make things more difficult for cyber attackers. One is the use of multi-factor authentication for access to systems, a process that has traditionally been awkward but has greatly improved to work more smoothly in most cases.
Two is ensure that systems administrators remain focused on the cyber threats, ready to spot and report any signs of suspicious activity. Three is to quickly patch any known vulnerabilities, taking advantage of functions to deploy fixes at scale.
Underlying it all is the importance of knowing your organisation’s data. This makes it easier to manage the segmentation more effectively and assign policy to your digital environment in an appropriate manner. In turn, this makes it possible to manage the risks around the lateral spread of any intrusion and apply zero trust to the contacts from outside the network.
It is about getting the basics right. The pandemic has contributed to breaking down the traditional perimeter, and it needs a dynamic approach to maintaining security in the more widely dispersed IT environment. This is going to be a big part of future digital transformation in the public sector.
Emma Velle is speaking at UKAuthority's Resilience and Cyber4Good event which takes place online from Wednesday, 15 to Friday, 17 September (11:00-12:30). More information including registration is here
Learn more about Cisco's security solutions on their website
