The first quarter of a new year is typically a time for personal and professional recollection, a chance to consider the highs and lows of the past 12 months, as well as setting your mind on resolutions to enhance your well-being.
For business leaders across multiple sectors, a common resolution of the past few years has been a greater focus on security. Whether or not your firm has fallen foul of a major hack or data breach, the regularity of media reports of the widespread consequences of such security lapses has heightened the need for the topic to sit high on the list of C-suite priorities.
2023 was another year in which reports of security breaches were seemingly a daily occurrence. High-profile UK organisations including the Electoral Commission, the British Library and Royal Mail were targeted by adversaries intent on causing chaos.
It was also a period in which several UK police forces hit the headlines for the wrong reasons. In September, it was reported that Greater Manchester Police (GMP) had been targeted following a hack on a firm making its ID cards. Around 12,000 police officers and civilian staff at the force were informed of the incident, and one senior officer said that the impacted information involved “some officers’ names and in some cases photo identification.”
Several other police forces were also involved in data breaches this year, including Norfolk and Suffolk Police, which both admitted that they had mishandled the sensitive data of victims, witnesses and suspects while responding to freedom of information (FOI) requests. The Information Commissioner’s Office said both forces had been placed under formal investigation, which could result in them facing fines.
The Police Service of Northern Ireland (PSNI) endured similar public embarrassment in August when the surnames and initials of all the PSNI’s 9,500 staff were released by mistake. As with the incidents involving the Norfolk and Suffolk forces, the data was leaked in error following an FOI request. An independent review of the incident warned that the leak was “a wake-up call for every force across the UK to take the security of data as seriously as possible.”
The growing threat
In recent years there has been a vast increase in reports of ransomware – or ‘Cyber Extortion’ (Cy-X) – attacks. These are a type of malicious activity where threat actors attempt to extort money from organisations by typically gaining unauthorised access to sensitive data or networks and then demanding a ransom. According to our Security Navigator 2024, the past 12 months saw the number of Cy-X victims globally increase by 46 percent, marking the highest number ever recorded. In the public administration industry, there were 22 percent more Cy-X victims last year than the year before.
In the GMP case previously outlined, the force said that the incident had resulted from a ransomware attack on the third-party supplier. Common forms of Cy-X include ransomware attacks and distributed denial of service (DDoS) attacks with ransom demands. While such incidents can have serious consequences for all types of organisations, the threat to those classed as being critical to national infrastructure is of particular concern.
A recent report from a joint committee on the national security strategy warned that the UK could face a crippling cyberattack on its critical national infrastructure (CNI) at any moment, stating that the government was failing to invest sufficiently to prevent large-scale attacks. The National Cyber Security Centre (NCSC) describes CNI as national assets that are essential for the functioning of society, including energy supply, water supply, transportation, health, and telecommunications. While emergency services, including the police, are not officially classified as CNI, the threat facing these organisations is undoubtedly growing.
If you liked this content…
MOJ investigates after Legal Aid Agency hit by data breach
How AI and digital policing solutions can help the UK implement Martyn’s Law
Russian cybercriminals behind NHS hospitals critical incident
Digital defences: protecting public services against cyber threats
Experts react to worrying findings in Government’s Cybersecurity Breaches Survey
Prepare your defences
Police forces must take proactive measures to safeguard themselves and prepare for potential threats, all while minimising the likelihood of internal errors, which can lead to data breaches. A proven strategy for cyber defence involves utilising comprehensive security tools and establishing protocols to maintain operational resilience and normal business functions in the event of an attack.
Crucially, the defence-in-depth approach leverages advanced security technology across all IT systems, but its effectiveness relies on additional investments in personnel and processes for continuous cyber resilience. By integrating the strengths of ‘people, process, and technology,’ police forces can fortify their security measures, creating a multi-layered defence and establishing a safety net in case one component fails.
In practical terms, this entails conducting awareness campaigns for employees handling sensitive data, implementing procedural updates to ensure adherence to security protocols, and deploying technology for early identification and defence against potential risks. By following these simple rules, those charged with enhancing the resilience of our police forces can maximise their hopes of a peaceful year.
During this time of elevated costs of operating due to inflation and low GDP growth, it is important to make sure that the costs of not making the required security investments are fully understood, not just the costs required to make those changes, and this is particularly important within the public sector where budgets tend to be even more pressured.
To demonstrate the value that investing in security will generate for decision-makers, and ultimately for the taxpayer in the case of police forces, a broad view of value must be taken. While there is, of course, a financial cost to allocating more resources to security, this blow can be softened by security leaders adequately demonstrating ways in which risk is being mitigated or spending can be reduced on other budgets, for example.
By taking this kind of business outcomes-led approach to security decision-making, police force leaders will be able to open a discussion with board-level decision-makers as to why security investment is important, beyond pure security metrics or monetary costs. If they can achieve this, and the board still decides not to approve the investment in security, then the board must ‘own’ the fact that their risk appetite led them to believe that the level of risk exposure was not worth the monetary cost. But, before police force security leaders can put themselves in a position where they can feasibly have this discussion with business leaders, they must first be able to quantify security risk. Only then can they communicate this in terms that are meaningful for the board.
Experts will be tackling the challenge of cybersecurity in the public sector at Think Digital Identity and Cybersecurity for Government on June 11. Register to attend now.
