In the firing line
The devastating cyberattack on pathology services provider, Synnovis last June, which forced London hospitals to cancel operations, has just been blamed for a patient’s death. This tragic outcome reminds us that we have a collective responsibility to safeguard national IT assets.
Yet Think Digital recently reported that 60 percent of public sector IT leaders believe that it is “only a matter of time” before their systems are breached, with phishing and ransomware posing the biggest risks. Almost half reported that their resource is spent on reacting to new threats, rather than proactively reducing risk.
AI versus humanity
Understandably, a lot of focus is given to the evolving threats posed by AI-generated attacks. However, the mechanics of cyberattacks have been largely consistent for the past three decades.
In 1995 we were challenged by buffer overruns and social engineering.
In 2025, hackers and AI agents are looking for new buffer overruns, among other technical vulnerabilities, to exploit. Meanwhile, AI-driven deepfakes, and automated phishing attacks are pushing the same emotional buttons that they always have: trust, empathy, complacency, urgency, stress, fear.
AI-powered attacks sound exceptionally daunting, yet AI-powered defence technologies are also allowing cybersecurity professionals in the public sector to tune out the noise and focus on anomalous activity and alerts that indicate a breach. This works most effectively when underpinned by a robust cybersecurity foundation, where everyone in the organisation understands their responsibility and ability to safeguard systems and data.
Targeting trust
Although the technology used to steal and encrypt data may have evolved, hackers still rely on exploiting trust to gain access to pivotal identities. That provides us with a powerful tool to defend our public sector systems: public awareness.
If we can remove the stigma of a breach and focus on information sharing, we can collectively improve the security posture of the public sector.
Companies used to be too afraid to admit that they had been breached. Cyber criminals played on that fear to extort organisations. Their silence only made it more likely that other organisations would fall prey to the same well-worn tactics.
Removing stigma, without lowering our guard
While victim-shaming should be avoided, neither can we afford to become apathetic.
If you liked this content…
e2e-assure partners with Validato on public sector cybersecurity
UK councils report 2,400 suspected data breaches
Safeguarding services – how local government can mitigate cybersecurity risks
Cybersecurity must be top of the agenda for public sector organisations
Ransomware has changed – and so must public sector organisations
Because humans are prone to be too trusting, and because bad actors so often gain access to systems and data by exploiting emotions including empathy, apathy, stress, or fear, many organisations have adopted a Zero Trust cybersecurity strategy.
Zero Trust operates on the basis of continually re-verifying access requests and only granting access if requests adhere to clearly defined policies. In addition, a Zero Trust environment will have monitoring in place to continuously check for anomalous behaviour.
Raising awareness
The major lesson is that criminal tactics haven’t changed all that much over the past three decades. Hackers still rely on persuading humans to lower their guard and open a door, make an exception, flout a policy, reveal a secret, change a password.
What has changed since 1995 is the general public’s awareness of cybercrime and its real-world impacts. Cancelled operations and patient harm have a tangible effect on our lives. That provides an opportunity to take a grassroots approach to educating people about the most common hacking tactics, so that the routes of least resistance become harder for criminals to navigate.
Tackling complacency
One of the most persistent beliefs is that an organisation can be too small to be of interest to hackers or that every avenue for attack has been addressed. A series of high-profile attacks have demonstrated the error of this belief.
Starting from microbusinesses supplying services to the public sector, all the way up to the largest public sector organisations such as the NHS, cybersecurity education is key.
We know we can’t do this alone, that’s why we rely on working in partnership with consultancies, resellers, MSPs and system integrators.
Our channel partners underpin everything we do and can play a vital role in educating the public sector and general public on getting the cybersecurity fundamentals right. One of those fundamentals is to apply the NIST principle of least privilege (PoLP). This central pillar of identity security ensures that people, or APIs, bots, or Oauth tokens, are only provided with access to the applications and systems that they need to perform a particular task. PoLP is a foundation of Zero Trust.
Communication is key
It’s not just about spreading the word, but using the right words to persuade people to change their behaviour, so that public sector organisations can improve their security posture. Talking less about cybersecurity and more about business continuity and patient outcomes is more likely to strike the right chord with department heads, budget holders, and colleagues.
While it’s understandable that public sector IT leaders have an eye on the future and are preparing strategies to defend against AI-powered attacks, let’s not forget the power of human communication to get the cybersecurity fundamentals right.
