The UK Government has just launched their first Cyber Security Strategy. The main goals are to significantly harden the government's critical functions to cyberattacks by 2025 and improve public sector organisations' cyber resilience to known vulnerabilities and attack methods by 2030.
Unfortunately, approximately 40% of the 777 incidents managed by NCSC between September 2020 and August 2021 affected the public sector making it a primary target for malicious actors. The strategy highlights cyberattacks impacting both Redcar & Cleveland and Hackney Councils, but there are many more examples seen over the last year causing a devastating impact on critical Public Sector organisations and services. So the threat is real, and the threat is now. This is why it is fantastic to see a central strategy to protect the UK Public Sector.
The strategy will be underpinned by CAF (Cyber Assurance Framework), which is linked to NIST. The framework assesses how organisations manage cyber risks. CAF is to be used either by the responsible organisation as a self-assessment or by an independent external entity.
2 Pillars will form the basis of the strategy:
1: Build a strong foundation for organisational cyber resilience
- Structure
- Tools
- Mechanisms
- Support
2: Defend as one via a newly formed Government Cyber Coordination Centre
Five objectives underpin the two strategy pillars.
- Manage cyber security risk
- Protect against cyber attacks
- Detect cyber security events
- Minimise the impact of cyber security incidents
- Develop the right cyber security skills, knowledge and culture
Challenges
The cyber threat landscape is constantly changing. Ransomware, Phishing, Data Protection, AI, Human Threat – the way the cyber world evolves is drastic. Therefore, our approach to cybersecurity needs to adjust accordingly and frequently.
The public sector need to have full visibility of the threat landscape. They need to be able to see and remediate vulnerabilities, monitor systems 24/7/365 to detect security events and keep the essential services and infrastructure operating. Access to information and event data is also a key component. When an event happens, it's critical to have access to the data to investigate and remediate promptly. Chess advocate a layered security strategy known as Defence in Depth to achieve all this.
Budget
The first challenge the public sector will meet is always budget. The UK Government has committed to increasing the funding to tackle cyber security. However, public sector organisations will need to work with trusted third-party advisors to gain value for money in the defence against cybercrime. Security collaboration is critical, so choose solutions and systems that work well together.
Given that cyber incidents are the 3rd biggest business risk for 2021* (last year’s top risk) and the average cost of remediating a ransomware attack now at $1.85 Million** prevention must be better than the cure!
Resource
The second challenge will be resource and knowledge. In order to monitor and secure systems and data, the public sector will need to deploy threat hunting capability to ensure 24/7/365 protection. While AI will be key, the human factor will remain vital to boost cyber resilience. Managed service providers will likely support the in house teams, reducing overheads and addressing the skills gaps.
Adoption
Thirdly, I see adoption and change management as a tremendous factor as well as sharing experience across the entire public sector to truly defend as one. Again, the human element is key - cyber training, adopting new policies, and ensuring correct procedures are in place will reduce cyber risk. Collaboration on best practices and technology will be a big success criterion to ensure the strategy meets its full potential.
Preparation
Events will happen, but preparation is key to success. The organisations may have the technology, services and support to monitor and protect their data and operations. However, they also need to test those technologies and services, so they are ready to respond in the event of a real-world incident. Penetration testing and red team exercises are vital to dealing with the cyberthreats to the public sector, learning the lessons and strengthening the defences. You should also consider preparing a Disaster Recovery plan, which our consultants can advise you on.
Summary
The Government Cyber Security Strategy is a positive first step to protect the valuable services the Public Sector deliver. It's great to see a joint approach to fighting malicious actors.
We are proud to serve the Public Sector customer base with customers in NHS, Government, Blue Light, Housing and Education. As the Sophos Public Sector Partner of the Year 10 years in a row, one of the most accredited Microsoft partners in the UK and a team of more than ten CREST and CHECK certified penetration testers, our security team will continue to support you on your cyber journey. So please reach out and have a conversation with us to see how we can help you protect your data.
