Who poked holes in the public sector?
CyberArk's John Hurst looks at the true cost of GDPR breaches
Almost two years after its initial introduction, media attention around GDPR is now largely focused on penalties incurred by private organisations such as Google, which received a £44m fine in January 2019, and Marriott, which was handed a £99.2m fine for a breach dating back to 2018. But public sector organisations have long been a prolific hunting round for hackers. Curiously enough, of all the ICO fines handed out since 2010, 54 percent have actually been levied against public sector bodies. In the UK alone, local councils accounted for 30 fines, with the NHS and Police charting second and third.
These bodies are supposed to be amongst our most trusted organisations, so these figures are of significant concern. Data breaches in the sector have originated from a wide variety of sources, with one resulting from a bizarre incident where Northern Ireland’s Department of Justice auctioned off a filing cabinet containing personal information about victims of a terrorist attack.
For the most part however, these fines are testament to the massive surge in the number of successful cyber attacks on the sector we’ve seen in recent years. In the last year alone the UK government was subjected to over 600 cyber attacks, according to figures from the National Cyber Security Centre (NCSC).
A notable recent attack on the sector saw Redcar and Cleveland Borough Council resort to offline modes of management for more than a week, having been targeted by a cyber-attack earlier this month while the current public health crisis is exacerbated by ransomware attacks on public and private health organisations. So what are the true costs of poor data security and governance in the public sector?
More than just a fine
GDPR-inflicted fines and the direct practical effects of a cyber attack, such as having to resort to offline functions, are not the only after-effects organisations should anticipate seeing. A successful cyber attack, like any infection, results in a plethora of negative outcomes that can affect an organisation.
Financial repercussions are the principal cause of concern, and not just limited to the high GDPR fine itself. Compensation must be paid to victims of the breach where appropriate, which can prove costly; some reports indicate that an individual can receive as much as £16,000 to cover the damage, and when thousands of accounts are compromised, those numbers quickly add up.
It’s also important to note the financial repercussions of investigating the incident. Investing in IT ‘auditors’ can be expensive, and certain situations may even call for a third party to come in and clear up the mess left behind by the attackers.
Regaining the trust of both the public and stakeholders can also be tricky once a breach has been reported in mainstream media. After all, if data is regularly being leaked and lost by law enforcement, citizens’ trust in governing bodies will erode and rightly so – the public cannot be expected to accept its loss. If rapidly evolving threats are left unchecked, and if data security and management are not critically recognised as a priority, GDPR fines will be the least of the public sector’s worries.
Now add one good measure of cybersecurity
An improved cyber security posture is absolutely essential in the context of these threats, but it can be hard to figure out where to start. As a rule, any proactive cyber strategy should always begin with regularly identifying and taking steps to protect an organisation’s most critical assets. Government entities, for example, hold and retain access to huge reams of personally identifiable information which requires stringent protection.
The conversation shouldn’t end there however. Attackers are always moving faster than defences, and inevitably hackers will find ways to circumvent defences and infiltrate company systems to get hold of valuable data.
That’s where Privileged Access Management (PAM) comes in. This technology can proactively audit the access and administrative privileges associated with both human and machine user accounts, and restrict access to key controls and data only to those who need it within an organisation.
In the event of a network breach, this allows security teams to automatically identify and isolate infected areas of a network, ensuring access to vital information and assets elsewhere remains safe, secure and uninterrupted. Compromised privileged credentials play a central role in almost every major targeted attack, so proactively managing them - and the privileges associated with them - is essential when it comes to protecting public sector systems against the ongoing tide of cyber attackers.
Let’s look at this in the context of a typical attack: Say the target information is held deep within the network, for example. An attacker will likely start by establishing a route into the network via an endpoint (end user device) of the organisation that they are aiming to breach. After gaining initial access and establishing persistence, the attacker will look to escalate privileges associated with this user’s account to gain access to another system that brings them one step closer to their target.
From there, the attacker can continue to move laterally until the target is reached, data is stolen, or operations are disrupted – even completely taken over. PAM helps prevent this eventuality by providing security on a user by user or application by application basis, where it’s needed most. In the face of an onslaught of cyber attacks, public sector entities need, more than ever, to establish a proactive, sustainable cybersecurity program.
Instead of being overwhelmed, using Privileged Access Management to ensure critical data and assets remain in the right hands is a step in the right direction, meaning the organisations that we go to in moments of need – the public sector institutions, to whom entrust our personal information – can remain reliable and trustworthy.
Minister promises documentation will be available via digital and non-digital routes
Government publishes advice for smaller firms and promises ‘sweeping’ rule changes to open up billions of pounds of public contracts
Union claims new system threatens 3,000 jobs
Contracts could run until 2025