Is the UK Public Sector still too open to Cybersecurity danger?

Security giant Sophos has just published the results of an in-depth probe into the state of IT security awareness across the UK public sector. We decided to find out more

Posted 25 November 2019 by Gary Flood

NHS staff could be failing to keep their data secure because they are uneducated about the value of that data and putting patients at risk, claimed IT security leaders Sophos last week.

Headline findings included how the majority of those contacted (55%) of public sector IT leaders believe their organisation’s digital data is less valuable than that of the private sector, despite the fact that they handle highly sensitive, confidential, personal, and government information – and that 76% of senior IT leaders said their organisation had been affected by a ransomware incident over the past year, yet only only 16 percent of frontline IT practitioners in the same bodies were aware of such incidents.

Its source: a research probe conducted among more than 780 UK public sector IT professionals who work primarily in either the NHS, education and central or local government, with interviews conducted online by Sapio Research in September 2019. We sat down with the company’s UK Director of Public Sector Relations, Jonathan Lee, to discuss the findings.

What’s your role and responsibility at Sophos then, Mr Lee?

I’ve spent the majority of my time at the company working with the public sector in various guises, working with everything from the NHS, local, central government and education. The public sector is a very big area for Sophos, and I’m glad to say it’s always been an area we’ve been very strong in: at the moment we’ve got over 1200 public sector customers, as well as 14,000 schools. We’re also on 80% of the machines within the NHS.

Thanks. What are the main messages for you coming out of this research exercise?

I think the real standout result really was the big chasm in perception of security issues between people managing security on a day-to-day basis and the people at the board level, the CIOs and the CSOs in the sector. We need to think what can be done about plugging that gap, or what investments may be needed to be made or what should be done in terms of buy-in.

That wasn’t the only thing. I’m also concerned about the fact that there aren’t enough people out there equipped with the depth of knowledge to secure these organisations, either. I appreciate the security skills gap is a well-known problem, and there’s a common understanding that we need to be doing more to train more people, but I think we need to look at what’s holding all that back.

That is surprising, given it’s 2019 and all indicators suggest IT security is a really solid, rewarding career?

No, I’m not quite sure what’s holding people back. But I do know there are initiatives that we’re going on to try and support to try and build a pipeline of talent to come through the education system. We’re tracking what The National Cybersecurity Centre is attempting, for example; I know they’ve got various initiatives going into schools looking to foster that, and which is also about getting more women interested, too.

We definitely support that; too many IT security roles have been too male-dominated. But, but yes, cybersecurity is in the news very often, it’s obviously very crucial, so the disconnect between people’s perceptions and reality here is a big subject for the whole IT industry.

Does your research give us any perspective on things like if WannaCry could happen again?

WannaCry wasn’t targeted at the NHS – it was just caught in the crossfire, but it was an issue right across the public sector, actually, not just in the NHS. But nonetheless, It’s incumbent on all organisations, public sector or not, to make sure they’re following best practice, using the products that they’ve got effectively and properly. With the pace that cybercriminals are innovating, and the fact that they’re targeting individual organisations now, you really need to be prepared and have the right tools in place.

So I think one WannaCry was a wake up call. But it’s a matter of when, not if, as to whether there’s another sort of major outbreak at some point.

But I also think looking for that major outbreak is to slightly misunderstand the reality of the current threat scenario. We’re still seeing 400,000 unique new pieces of malware a day that in our labs, a million suspicious URLs a day, 3 million spam messages, targeted attacks where ransomware might be targeted at a particular organisation. That could be a disaster for their ability to treat patients, serve citizens and educate students. We need to make sure that users understand what they can do to help themselves be protected, like being aware of phishing attacks.

What would that look like on a practical basis?

Lots of ways. You really should look at simulating phishing attacks on a regular basis to make sure that stuff can spot those, for example.

I think we just need to make sure we don’t take our eye off the ball in our sector. It’s very easy to forget; WannaCry is a couple of years ago. And if cyber threats are more targeted to individual organisations, and don’t get felt as pain across the public sector as a whole, we really do need to make sure we continue to look at things such as best practice, you know, and building security awareness: think, defence in depth.

OK, can you maybe sum up what the takeaway of this interesting exercise is for our readers, please?

Like I said, I think it is all around that chasm in perception about security issues between different roles in too many UK public sector organisations.

To combat that, we need better communication between different levels of the organisation, and we need to make sure that these organisations are doing everything they can.

Very important message, and we really appreciate you taking the time today – thanks, Mr Lee.