Malware attacks and general hacking attacks are increasing, both in frequency and virulence as the Public Sector and commercial companies move online, thereby potentially exposing customer data. Data has been described as the “New Oil” by some pundits, looking at the money to be gained from normal commercial applications and the theft and misuse of it. The Public Sector in general, is not immune.
As Government moves steadily towards an E-Gov environment, the amount of data held about individuals is growing. Add to that, the public sector IT budget for Online Security is inadequate in most cases, and you have a soft target for hackers.
Recently, hacking has moved from just digital methods. The US Military developed Stuxnet, an exploit that sabotaged uranium enrichment centrifuges in Iran by causing their controlling computers to physically damage and destroy them.
Why Target Public Sector Systems?
Like everyone, hackers are looking for a positive return on their investment. Public sector organisations are a soft target for several reasons:
- They hold enormous amounts of sensitive information, both personal and commercial;
- There are many potential attack points. They have interfaces to many internal and external sources of information;
- In general, they are under-resourced, both in systems and people. IT Budgets are under strain, and they cannot provide a full range of detection, prevention and recovery options;
- External contractors and suppliers. Relying on them exposes Public Sector systems to another range of potential attack vectors. Some studies declare that they are the leading cause of cyber-attacks.
In general, and this is not always the case, because of resource constraints public sector systems are poorly maintained and inadequately monitored. Whether it is for financial gain or to destabilise an economy, public sector systems are a soft target for skilled hackers.
Public Sector Challenges
A study by the US Office of Management and Budget found that nearly 70 out of the 96 agencies they studied were at a high risk of hacking. In general, there were poor understanding of cyber threats coupled with non-standard IT systems. In addition, poor network administration and monitoring, and no clear accountability for risk management is present.
What can the Public Sector Do?
Assuming that the budget challenges are not easily resolved, there are still several steps that the Public Sector can take:
- Keep systems up to dateIt is essential to implement patches and systems upgrades, particularly those relating to malware defences. New malware attacks can bypass outdated controls.
- Reduce the use of third parties wherever possible. Bring services in-house. Third parties can either deliberately or accidentally release details of access keys to Government networks. At the very least, they provide another attack surface into Government systems.
- Cancel employee systems access credentials as soon as they resign.One area that is often overlooked is removing employees access credentials when they resign, particularly IT staff members. There have been many cases where an unhappy former employee sells their access credentials to a hacker.
- AwarenessThe head of the security team and the IT head need to be fully aware of the current and potential Online Security threats that they could face. New threats are continually arising. Staff need training and education to be able to monitor and manage the network.
- Use sophisticated security and network monitoring tools.The key area here is Online Security systems that manage third party access to the Government network. Some tools control and manage third-party remote access, in particular, to manage access itself, and thereafter the scope of systems that each user has access to.
While it is beyond the scope of this document to discuss in detail the threats to Public Sector and the counter-measures that could be adopted, there are cost-effective steps that can be taken to secure systems.