Public sector organisations are working to defend themselves on an increasing number of fronts – external adversaries, internal forces, and even hidden threats in existing tools and supply chains. According to the Hiscox Cyber Readiness Report 2020, 34% of organisations within the Government and non-profit sectors reported one or more cyber attack in the last 12 months alone.

Some of these fronts are dynamic and can be unpredictable and difficult to prepare for, but are at least what are referred to as ‘known unknowns,’ and can be planned for. What really causes sleepless nights are when attackers open up a whole new front of digital warfare on a front – or fronts – that we didn’t even know existed. Recently, the National Cyber Security Centre (NCSC) identified a heightened cyber threat level across the UK health sector in relation to the pandemic, with cyber crime groups attempting to steal sensitive intelligence, intellectual property and personal information from pharmaceutical companies and medical research organisations.

Simultaneously, driven by both the rush to digitally transform and deliver the environmental changes that citizens increasingly demand, the public sector is being pushed to run faster, be more agile and operate as efficiently as possible. In recent news, Health secretary Matt Hancock announced that incorporating AI and Machine Learning will be a key priority for the NHS going forward. As a result, CIOs are constantly adopting new technologies to move data and workloads to the cloud, automate existing processes, and innovate to provide better customer experiences.

There is good news for the CIO, including their increasing ability to impact the success of these wider initiatives. But there is also bad news, as this proliferation of initiatives and the related technology that enables them also brings an increased vulnerability to attack. Some of these attacks will be predictable, but some less so.

Threats that are predictable are ones that we have always faced, or that we know will come during the course of planned transformation initiatives. They may on occasion be damaging, but they are a known risk, and an experienced CIO can plan for them.

Lessons From History: Unpredictable Attacks Are the Most Damaging

Threats that come from out of the blue are the ones that have the potential to cause deeper disruption. There are lessons from history that serve to illustrate what can happen when threats come from an unexpected direction. One marked example is the sack of Rome in A.D. 410. While the glory days of the Roman Empire were gone, Rome itself had survived invasion and siege for over 800 years.

While it was no secret that the Visigoths – our external attackers in this case – were seeking to hold the city to ransom in order to force the Romans to cede land and power to them, the city’s walls were strong. Compromises were made to allow supplies to citizens, and attempts at military reinforcements were made.

However, once it became apparent that Rome would never accede to the Visigoths’ demands, agents within the city – malicious insiders if you will – opened Rome’s Salarian Gate and 40,000 invaders marched into the city, razing much of it to the ground virtually unopposed. 

In the present day, two comparable recent events serve to demonstrate the potential severity of attacks on an undefended front.

The first was driven – and still is being driven – by the ongoing global health crisis. As organisations worldwide pivoted to remote working, CIOs suddenly had to cope with a hugely expanded and in some cases an entirely new set of vulnerabilities. Earlier this year, Clearswift surveyed public sector employees working from home during the pandemic and found that 77% of respondents have been given no instruction in how to recognize ransomware, while 16% have had no cybersecurity training whatsoever. Our own research also showed that the home workforce immediately adopted behaviours that could threaten the security of critical assets and data. These behaviours included, but were not limited to: password re-use; letting family members use corporate devices; using unmanaged, insecure bring-your-own-device (BYOD) products to access corporate systems.

The reason these behaviours create grave risks to organisational security is that they tightly align with the modus operandi of the majority of attackers. Every device that becomes vulnerable and every password that is re-used or saved in a browser becomes a target and amplifies the risk of a breach or malicious incident. The threat is even graver for the public sector, where cyber attackers can do colossal harm if they get access to confidential government data, records and controls. This is especially true when it comes to privileged credentials – these credentials should be considered the most important in any organisation because they provide elevated access and permissions to accounts, applications and infrastructure. Often attackers will target those used to undertake system administration - functions such as adding a new user to a domain, or using SSH to access a web server to update a file, that underpin the deployment or operation of specific systems – because they allow them to do the most damage.

The second is a more practical demonstration of just what attackers can do when they compromise privileged access. In the case of the attack on Twitter, employees with administrative access were targeted in a social engineering attack – designed to trick unsuspecting employees into making security mistakes, such as giving up passwords, clicking a malicious link and more. Once the attackers were able to steal and exploit this privileged access, they were able to access the internal controls used to manage accounts, ultimately taking control of high profile accounts like Barack Obama, Elon Musk and more. If cyber attackers get hold of a key UK government or public sector figure’s social media account, the damage that could be caused by one single tweet is considerable.

These situations both show why attackers covet privileged credentials – by exploiting them, they can elevate their level of access to move from an endpoint into networks, applications, cloud and more. This allows attackers to target and steal sensitive data while exponentially increasing potential damage.

The National Cyber Security Centre Recommends Prioritising Privileged Access Management

Put simply, cyber attacks cannot be stopped if privileged access is not secured. This means everywhere – in the cloud, on the endpoint, in applications, automated processes and throughout the DevOps pipeline. According to the latest guidance by the National Cyber Security Centre (NCSC), Privileged Access Management (PAM) is central to ensuring secure system administration, as it provides an additional set of security functions on top of traditional authentication.

According to the NCSC’s guidance, implementing PAM also increases the chance of a malicious insider getting caught. This helps prevent the insider thinking that they can get away with it and it provides auditing information that can be used for prosecution. This may be enough to dissuade a malicious insider from doing harm to your systems. 

Protecting privileged access should be on the mind of every CIO and indeed on that of the entire leadership team in the public sector, because regardless of the organisation’s size or location, privileged access is being targeted and used to facilitate devastating attacks. 

This is why privileged access management is firmly established as a top CIO priority, one that provides proactive controls that can provide peace of mind when battling in these dynamic environments, and preparing for whatever front – however unexpected – we must defend next.

To learn more about how privileged access management can help protect organisations’ most critical data, infrastructure and assets, download a complimentary copy of the Gartner 2020 Magic Quadrant for Privileged Access Management¹: https://www.cyberark.com/gartner-mq-pam/  

1. Gartner, Magic Quadrant for Privileged Access Management, Felix Gaehtgens, Abhyuday Data, Michael Kelley, 4 August 2020

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organisation and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.