10 cyberthreats facing public sector organisations
David Crozier, Head of Strategic Partnership and Engagement at the Centre for Secure Information Technologies (CSIT), explains the 10 most prominent cyberthreats facing public sector organisations.
Describing the work achieved at government level so far in Northern Ireland as “a job half done”, Crozier outlines the goal in New Decade, New Approach for a talent pool of 5,000 cybersecurity experts in Northern Ireland by 2030 and explains that he wants to see 3,500 newly qualified professionals graduating annually between now and then.
He further explains that the CSIT will utilise the £55 million it secured as part of the Belfast Region City Deal as an enabler of this, qualifying 18 PhD graduates from Queen’s University Belfast on an annual basis and enabling the use of data across all sectors, applying their expertise in cybersecurity and data analytics on a cross-sectoral basis.
Crozier lists the 10 areas of concern, giving examples and ways to combat or alleviate the threat posed by these factors.
Ransomware: “In October 2021, Hackney Borough Council had a ransomware incident from which it is still recovering. The Council have spent £10 million, and are still trying to recover from that incident. In September 2022, the Oxford Health Foundation Trust found ransomware in their system and that disruption is still being felt.
“The keys to combatting this are having IT teams which understand threat intelligence, threat hunting, detecting ransomware on systems before it becomes a major area of concern, working out how to shut down those systems, working out how to immediate that, and how to have a minimal impact from ransomware on your business.”
Geopolitics/nation-state attacks: “Not just a ‘sexy topic for the media’, organisations like small businesses and charities are being caught in the crossfire as an unintended consequence and damaging sensitive networks and unearthing sensitive information which can be valuable sometimes particularly on the individuals. Those sensitive networks are still being targeted, still being compromised, and there are still people lurking on networks and not necessarily showing their hand.
“Part of this is around making sure that the organisations are resilient in the face of attack. They may be caught as a consequence of some other activity, but they need to understand the threats that they face and ensure that their systems are secure and that they can recover from any attacks which may stem from the geopolitical situation at the moment.”
Supply chain security: “SolarWinds and Kaseya are recent examples but really, where we are running particularly secure networks, where we have particularly trusted relationships with some of those solution providers that are close to us.
“We have to ask ourselves if we are critically analysing the third-party supply chain into those systems. That can be the third-party cloud providers, service providers. We also have to always question out confidence in their security posture, and what sort of assurance and assessment we are doing on those suppliers which are further down in our digital supply chain.”
Cloud and multi-cloud security: “Cloud-enabled systems have been critical over the last three years, due to the enablement of flexible working in many workplaces. However, the caveat still applies that the data on your cloud is still residing on someone else’s device.
“Making sure that we are an informed procurer of solutions, that we have adequate security measures within the procurement frameworks, that we are writing in a sufficient overhead and budget are vital in ensuring that we are not only procuring on the cloud so that things are secure in the present, but that things continue to be secure into the future.”
Remote work and return: “We need to make sure our systems enable working from home, that systems are secure for those people but also secure for them when they are working from home on a Monday and Friday and everything in between.
“We have to assume that remote working is here to stay. People like that flexibility and they like the agile work, and they like that flexibility of being able to do stuff from home and being able to do things from wherever they may be and making sure that the procurement and the other systems support that. We also have to ensure that the security around that is particularly strong.”
Zero-trust: “There is no network perimeter anymore. Your networks are no longer the Tower of London, but rather the city of London. There is no longer the high walls and small number of entry and exit points on your network anymore; you have to think of it as the city of London and plan to secure it on that basis. You have multiple unknown entry points, and you need to make sure that your systems are secure on that basis.”
Human factors: “A report by the University of Oxford entitled Cyber Collateral: WannaCry & the impact of cyberattacks on the mental health of critical infrastructure defenders, reported on American cybersecurity officials who suffered from PTSD having worked in the cybersecurity sector during the wars in Afghanistan and Iraq.
“The report stated: ‘One that has stayed with me was an incident responder who could not make leadership understand the severity of what was happening and then could not get them to plug back in to update with the kill switch.
‘That responder was blamed for technical incompetence for letting WannaCry happen and then for not fixing it fast enough. They asked me, tearing up, if they had explained enough and if they could have done anything differently to make their leadership understand and to believe them.’
“We must learn to listen to these people. Whenever the proverbial hits the fan, they need those tools, they need that leadership support to do what they need to do to get business back up and running as quickly as possible. They are at the coal face; enable them to do their job and solve problems. This is just one of the many mental health aspects that we are seeing in shoring up cybersecurity. This is not just a technology problem; it is also a human problem. Look after these people because the skills shortage is such that they will just move completely out of cybersecurity.”
Artificial intelligence/machine learning (AI/ML): “This is a very emerging research area. What we are seeing now is a rush to implement AI and machine learning solutions, whilst security is seen as an afterthought. When you are training AI models, you are depending on AI and machine learning to make decisions.
“We have to make sure that those algorithms are not being fed duff data, reverse engineered, or being poisoned to make wrong decisions. This can be especially prominent in the healthcare space. You have to make sure that someone is not maliciously feeding your algorithms and your AI duff data so that they make wrong decisions.”
Phishing and social engineering: “We are seeing a lot of event-driven lures which are being rapidly turned around by malicious actors to fool people into giving over bank details for transferring funds. We have also seen recent examples of this including scam energy price cap fund texts and emails, and vaccine frauds during the pandemic.
“We have seen voice phishing, not just human voice phishing but now we are seeing human phishing with deepfakes to replicate a video of someone speaking in order to replicate their voice and potentially use that to scam banks.”
Internet of Things (IoT) security and standardisation: “The UK Government is ahead of the curve here in trying to set standards in terms of the security of security of IoT devices like widget. This ensures that there are minimum security standards in place, making sure that those come with guarantees of software updates so that those legacy devices can become a big problem on networks.”