More than 3.5 million people work across the UK’s central government sector, making it one of the country’s biggest employers. Many of them access highly sensitive information and run systems responsible for the delivery of vital public services across the country. That makes government organisations an attractive target for both financially motivated cyber-criminals and State Actors. As recognised in its own Cyber Security Strategy document, “there remains a significant gap between where government cyber-resilience is now and where it needs to be”.
Filling that gap amidst spiralling attacks and an increasing reliance on digital technologies will be the challenge of our times for government CISOs. But by focusing on achieving holistic visibility and gaining actionable insights from the core network to the cloud, security leaders can leverage the threat intelligence they need to respond rapidly to emerging threats and amplify existing tools and investments.
Government under fire
According to one estimate, the public sector suffered among the highest number of security incidents last year, a fifth (21 percent) of the total for all verticals. Another report recently revealed that UK government employees were bombarded with nearly three billion malicious emails in 2021, and may have clicked through on tens of thousands. Data theft and ransomware are key risks. The aforementioned government report warns of disruption to essential public services, citing both the “sheer volume of cyber-attacks that the government sector experiences” and the “evolving capabilities and techniques” of those conducting them.
Their success rates have spiked during the pandemic thanks to the new security gaps created by mass home working. Users are more prone to engage in risky behaviour, while their endpoints and home networks may be less well secured than office equivalents. Sometimes crucial patches are missing, or take longer to apply, lengthening the window of opportunity for threat actors.
Attacks on government networks have also been aided by un-patched VPNs and misconfigurations, while employees are often unaware of the risk they pose to their organisations by clicking a malicious link. In fact, the latest Gigamon research found that phishing, malware and cloud misconfigurations are being seen as the top three access vectors for ransomware attacks in recent months.
Against this backdrop, government CISOs must also contend with siloed systems, complex legacy/digital hybrid environments and limited resources. The challenge is that digital transformation is essential to driving the cost efficiencies and improvements to public services that the government needs. But at the same time, if security isn’t baked into projects from the start, they can unwittingly broaden the public sector’s cyber-attack surface. With government data breach costs surging by nearly 79 percent year-on-year in 2021, it’s a critical concern.
If you liked this content…
UK public sector: cyberattack is “a matter of time”
Cybercriminals hope to catch public sector off-guard
The new government bring new opportunities in national cybersecurity
Digital defences: protecting public services against cyber threats
Cybersecurity: 5 reasons government organisations should consider Protective DNS in 2024
Three steps to success
Cybersecurity is a complex, multi-faceted discipline with no silver bullet solutions. But three areas are ripe for an overhaul and could provide government organisations with some quick wins.
First, reduce the level of inherent trust provided to employees. Usernames and passwords are simply too easy for threat actors to steal. Some estimates claim as many as 24 billion are circulating on the dark web. Attackers can also phish users with relative ease, and unpatched home working endpoints provide another useful access point to government networks. Rolling out multi-factor authentication (MFA) as part of a Zero Trust (ZT) approach enables government CISOs to mitigate these risks by only trusting users after verification. This doesn’t end with access; for Zero Trust to work properly, organisations must also segment and continually monitor their networks to detect lateral movement and resolve breaches. Deep Observability – the addition of real-time network-level intelligence to amplify the power of metric, event, log and trace-based (MELT) monitoring and observability tools – is critical here. Only with a clear view across all data in motion can IT teams understand and authorise those safe to access the network.
Second, government organisations must enhance visibility into east-west traffic (i.e., data packets flowing between servers or applications in a Hybrid Cloud Infrastructure). Endpoint detection and response (EDR) tools are good at what they do. But they don’t provide the deep observability you can obtain from intelligent network-layer analysis. Too often, agents are missing from some endpoints – especially connected devices and legacy systems – while rapid-fire alerting can threaten to submerge stretched SecOps teams in a flood of false positives. Threat actors can also craft attacks to bypass endpoint detection.
Third, attackers are increasingly using SSL encryption as a tool to keep malicious activity hidden. Over 90 percent of malware was hidden in encrypted tunnels in Q2 2021, it’s claimed. That’s why government organisations need tools that not only provide network-layer intelligence, but can also get sight of encrypted traffic with minimal latency or impact to end user security and privacy.
With this kind of Deep Observability Pipeline in place, government CISOs have a great opportunity to detect security events before they become incidents, and in the process, help build a more cyber-resilient public sector.
Ollie Sheridan is security engineer at Gigamon.
