In your opinion, why do cybercriminals target the public sector so prominently?
Cybercriminals target the public sector for a variety of reasons. The first is the large amounts of sensitive data stored about people, employees, and organisations engaged with the public sector.
Secondly, increasing cybersecurity investments and budgets are needed to reduce the risk of an attack instead of the bare minimum or whatever is required to meet a compliance regulation. Addressing these challenges necessitates a multifaceted approach, focusing on technological investment, employee training, and inter-organisational collaboration to enhance security.
What are the main threats plaguing the industry?
Social engineering is the number one threat targeting the industry, followed by unpatched or misconfigured external facing systems. From these threats are the outcomes of data breaches, intellectual property loss, and ransomware attacks.
What do organisations within the public sector need to do to reduce the risk of attack?
Looking at this in a data-driven defence, organisations need social engineering and all the other technology attacks targeting users. Organisations must frequently provide security awareness training to increase the security culture and reduce the risks of attacks. Along with training is the need for assessments to ensure users can spot and report phishing attacks to the proper teams. Spending money on training and awareness to minimise cyberattacks has a quicker ROI than other technological products.
Do you see AI having an impact on the threats that the public sector will face?
If you liked this content…
UK critical services facing catastrophic ransomware attack
Public sector cyberattacks on the rise: strengthening the digital supply chain
Barracuda CEO welcomes government effort to tackle cybercrime
Public sector needs to see Cyber Assessment Framework as more than box-ticking
Searchlight Cyber named CCS supplier to UK public sector
AI is a broad area when presenting the different impacts. Cybercriminals will leverage any technology to target and attack any organisation. Whether using machine learning and automation to scan, launch, and exploit against networks, audio/video deepfakes for social engineering attacks, or polymorphic malware, which changes its code on the fly depending on the environment. AI will continue to be a concern for organisations for the foreseeable future. Still, it is manageable to keep up with the technology, educate users, and have policies to address using third-party AI systems or having them as part of their services.
What role does creating a security awareness culture play in tackling these threats?
Creating a security awareness culture is essential in addressing the various cyberattack vectors. It empowers users within an organisation with the knowledge to recognise an attack and to keep cybersecurity top of mind in their daily activities. This culture shift involves educating employees about the importance of cybersecurity, the risks associated with their environment, and the behaviors expected to mitigate these risks. When users are aware and attentive, they become a critical line of defence, reducing the likelihood of successful cyberattacks. This proactive approach reinforces technical safeguards and fosters a mindset where security is a shared responsibility rooted in the organisation’s culture.
What behavioural and psychological elements must be considered to build a human layer of security within the public sector?
Per BJ Fogg, an expert in behaviour design, three things are needed for behaviour change: Motivation, Ability, and Prompt.
Building that human firewall and a crucial line of defence requires focusing on the user’s motivation and ability toward cybersecurity. Cybersecurity leaders need to identify the prompt to enforce the training, which can help drive the change in behaviour.
In the case of phishing emails, users need the motivation of what it takes to protect their organisation. When an email is in their inbox, they have the ability, as they have learned, to identify various phishing tactics that can be within their email that help them identify a suspicious email. The prompt is that the email is addressed to their LinkedIn account, and they know full well that their account is connected to their personal, not work email. Therefore, they quickly become suspicious and recognise it’s a phishing attempt, not someone wanting to connect with them.
This approach fosters a culture where cybersecurity is not just a policy but a shared, profoundly ingrained value.
