By Ram Narayanan, Country Manager at Check Point Software Technologies Middle East
There’s nothing quite like a global pandemic with legally enforceable lockdowns to expose the public sector’s dependence on outdated digital infrastructure. While the devastating SolarWinds “sunburst” attack made headlines in 2020 for its impact on private corporations like Cisco, Microsoft and thousands of customer organizations, there’s a good chance much of it was collateral damage in pursuit of an increasingly lucrative target: the public sector. The SolarWinds cyberattack, which went undetected for months, also impacted NATO, the UK government, the European Parliament, and even the US Treasury – all public sector entities wielding great power and extremely sensitive data.
While the pace of transformation may vary from country to country, the public sector as a whole is gradually becoming more digitally mature. However, the wheels of government have a reputation for turning slowly. Many public-owned organizations are overstretched and under-resourced, particularly when it comes to matters of cybersecurity, and bad actors are taking note. Check Point’s 2021 Mid-Year Cyber Attack Trends Report highlights just how prevalent attacks on public sector organizations have become during the pandemic. Globally, government organizations are now one of the most popular targets for bad actors, second only to those in the education and research sectors. Of the 93% increase in global cyberattacks reported by Check Point from 2020-21, many of them are being orchestrated against public-owned entities, but why?
The public sector might serve up easier targets than the private sector due to outdated technology, poor funding, inadequate training or a combination of the three, but is it lucrative enough to attract cybercriminal organizations?
Data has value. It can therefore be extorted or sold on for profit. If a group of bad actors was to steal thousands of people’s credit card details by hacking into a private organization such as a bank or online retailer, they’d fetch around $20 per record if auctioned off on the dark web. If, however, the same group were to attack an NHS trust in the UK and steal individuals’ medical information, their potential profit would soar and net them more than $480 per record. And that’s not even taking into account the amount they could extort from the targeted trusts themselves. This isn’t helped by the fact that public sector organizations are often comprised of siloed data behemoths, so if a malicious actor is able to exploit a gap in their defenses, the “payouts” are often huge.
Unlike in the commercial world, public sector organizations aren’t profit-driven and can’t easily justify the increased IT spend as a mere preventative measure. A year after the infamous WannaCry attack in the UK, which held NHS computers to ransom, the government agreed a $207 million deal with Microsoft to equip all NHS computers with the latest Windows 10 operating system and ensure that all security settings were up to date. This is all well and good, but it took a catastrophic breach that put individuals’ medical records at risk to get budget approval. The public sector is, almost by definition, reactive instead of proactive when it comes to digital transformation. It’s there to serve, not to profit, and this leaves it vulnerable by default.
Part of that vulnerability is no doubt due to loss of control through third-party outsourcing. On the face of it, the cyber capabilities of the public sector and its employees are stronger than some of these incidents might suggest. To run with the UK as an example, the government’s own annual report says the public sector is actually surprisingly confident when it comes to performing advanced cyber security tasks. While a quarter of all businesses say they aren’t confident when it comes to penetration testing, for instance, more than 80% of public sector organizations are more than confident in their testing abilities. Similarly, 1 in 10 of all businesses say they lack confidence when it comes to user monitoring, but no public sector organizations report any such issue.
It’s only when we read further into the report, we start to see the real problems emerge. A quarter of public sector organizations have just one staff member responsible for cybersecurity and the percentage of public sector organizations outsourcing basic security functions such as firewalls, user privileges and backing up data, for instance, far outweighs that of the private sector. More than 95% of all public sector organizations outsource their firewall configurations to a third party; more than 80% rely exclusively on third parties when it comes to incident response and recovery; and almost half (48%) even outsource the control of internal user admin rights which, unless they have a very close relationship with their third-party IT partner, could have devastating security repercussions. So while the public sector might be confident in its cyber capabilities, that confidence might be ill-placed.
In case you haven’t spotted it, the common theme here is a lack of internal resources and control. The technology is available, but only if the public sector is willing to continue putting up with the ‘technology debt’ it’s accruing through its overdependence on outdated internal tech and external cybersecurity solutions.
With a threat landscape that’s currently outpacing many private organizations’ capabilities, governments need to start thinking very carefully about their cyber security budgets, how much of their security solutions are outsourced, and how they can increase their risk posture in 2021 and beyond without continuing to throw good money after bad. Some vital steps organizations could take include:
The implementation of integrated and in-depth protection that enables a public sector organization to detect and respond to multiple attack vectors simultaneously is crucial in 2021. They should choose an integrated solution that uses not only antivirus and IPS protections, but also anti-bot and firewall technology. Using real-time intelligence will also protect against zero-day exploits like the SolarWinds breach.
Public sector organizations are unique in that they often need to maximize security across borderless networks. To shed light on malicious activity, 360-degree visibility and the ability to continuously monitor IT real estate in real-time are absolutely crucial. We’re past the point where businesses can simply wait until an audit rolls around to expose any vulnerabilities; they need to be proactive with things like penetration testing and security configurations.
User endpoints have increased dramatically over the past decade, and it seems more devices are always being added into the mix. Public sector organizations must use integrated security that leverages single-protection architecture for mobile devices like smartphones, tablets and laptops.