Editorial

Why public sector organisations should adopt a zero-compromise approach

Steph Charbonneau, senior director of product strategy at HelpSystems on why the public sector is vulnerable to cyberattack, and what organisations can do to protect themselves

Posted 22 April 2021 by

 No organisation is immune from the risk of supply chain cyberattacks and data breaches, but those with especially large and complex supplier ecosystems are much more vulnerable. This is particularly true of public sector organisations and even more so in the light of the challenges they have faced during the last 12 months as a result of the pandemic.

As society has adjusted to the ongoing COVID-19 environment, public sector entities have had no option but to provide the majority of their services online. Whether it is local government, social services, law enforcement or emergency services, organisations across all disciplines that depended on in-person processes have been forced to pivot to digital alternatives at an uncomfortable speed.  

In the space of a year society has transformed beyond recognition, and digital-first is now an imperative. However, not only do public sector organisations handle a wealth of sensitive personally identifiable information (PII) which makes them a target, but they typically have large, complex supplier ecosystems and, in the rush to pivot to deliver online services that have traditionally been human-activated, this has left a window of opportunity for hackers. 

Increased threat caused by an expanded attack surface

Likewise, the extended attack surface as a result of the new remote workforce is also creating opportunities for cybercriminals. Although the public sector has made great advances in cybersecurity over the past four or five years, in May 2020 we undertook research with public sector cybersecurity workers and the findings from this were concerning.

In general, we found a widespread lack of awareness around cybersecurity, with almost half of respondents having either not heard of, or not knowing what ransomware is. Outdated operating systems are a common point of entry for cybercriminals, and our research found that 11 percent of public sector employees were still using Windows 7 – which has not been supported by Microsoft since January 2020. 

This all makes very clear the requirement for training and best practice guidance for public sector employees, especially when dealing with the extended ecosystem of suppliers and parties that are deemed a trusted source. If an employee can at least recognise a malicious email, then they will be far less likely to click on a link or open a file or image containing ransomware. This is particularly important in the new work environment we now find ourselves in, as a distributed workforce lacks the usual corporate cybersecurity defences and is perhaps even more vulnerable when juggling work with home-schooling and other distractions. 

The move to Microsoft 365

Additionally, COVID-19 has accelerated the trend to digitisation and one such digital transformation trend particularly common in public sector organisations, is the move to Microsoft 365. The effectiveness of this collaboration suite is undeniable, with many public sector organisations benefitting from its cloud-based capabilities. But in the rush for cost-effective deployments, are organisations missing out on vital security for emails, for example, because the level they’ve bought into does not provide adequate protection for sensitive data or cyberattacks? 

To avoid the risk of a data breach, public sector organisations need to fully secure their business communication channels to ensure that sensitive information is only shared between authorised parties and detect when malware exists in messages, documents, or image-based files. And while Microsoft 365 offers various levels of email security, it does not deliver the deep content inspection required to automatically detect and remove sensitive information (such as PII data or payment card information), especially within screen shots or scanned documents. Even with sandboxing, protection against ransomware is limited because the malware threats designed to evade these systems can be hidden within documents or image-based files.  

It is all too easy to see an email from a trusted supplier or partner and assume that it is safe to open, therefore, only a zero-compromise approach will provide the level of protection needed in today’s multi-vector environment.  

How to neutralise supply chain threats 

Public sector organisations need layered security defences to neutralise any threats coming from a supplier. It is essential that organisations are adequately protected from incoming malware, embedded Advanced Persistent Threats, or any other threat that could pose a risk to the business. At HelpSystems, we offer a Secure Email Gateway which works in conjunction with Microsoft 365, giving public sector organisations the missing element required for a robust, comprehensive security posture, one that takes into consideration the threat posed by the extended supplier ecosystem.

Data classification tools are also critical to ensure that sensitive data is appropriately treated, stored, and disposed of during its lifetime in accordance with its importance to the organisation. Through appropriate classification, using visual labelling and metadata application to emails and documents, this protects the organisation from the risk of sensitive data being exposed to unauthorised organisations further down the line through the supply chain.  

Likewise, data that isn’t properly encrypted in transit can be at risk of compromise, so public sector organisations should use a secure and compliant mechanism for transferring data within the supply chain to reduce risks. Here Managed File Transfer (MFT) software can facilitate the automated sharing of data with suppliers and provide a central platform for information exchanges and other file transfer protections.  

An unprecedented year

At the start of this year, the IT Governance blog logged 134 security incidents in December, which accounted for more than 148 million breached records. And according to IT Governance, this brings the total for 2020 to more than 20 billion breached data records, and unfortunately public sector organisations were in the top three industries most commonly breached. In addition, last year we witnessed a record number of breaches via the supply chain, the most recent high-profile incident being the SolarWinds hack in December 2020.   

Most of these breaches are not sophisticated attacks but are because of either ransomware or internal human error, therefore it is imperative that public sector organisations have the right technologies, policies and training programmes in place.