Management > Security

Digital demand and the impact on data security

Published 08 August 2017

Vikki Archer, head of Public Sector - UK&I for CyberArk, discusses the challenges which must be addressed to keep public data – and citizens’ personal information – secure


The public sector is going through a period of immense change, driven by efficiencies implementation, shifting ways of working and growing pressure to deliver on consumer demand for digital services. Governments, schools, universities and hospitals need to make vital upgrades to their IT infrastructure, but managing this at the same time as upholding security defences can be a struggle.

In recent months we’ve seen huge ransomware attacks on the NHS, and learnt that two-thirds of London councils suffered a data breach in the last four years.

Here we look at some of the challenges which must be addressed to keep public data – and citizens’ personal information – secure. This includes the SME procurement policy, a legacy of outsourcing IT projects, a technology skills gap and budget cuts:

The SME procurement policy: A new regulation introduced in 2011 stated that 25% of spend in the public sector had to go either directly, or in supply chains, to SMEs by 2015. The move was successful in providing SMEs with better access to government contract opportunities, and it encourages departments to use fresh and innovative suppliers. However, government projects are increasingly complex and it can be difficult for smaller companies to scale up. This means contracts are frequently spread between suppliers, and cybersecurity policies become siloed and disjointed. Public sector organisations must make sure there is a single view of all supplier contracts, and only work with SMEs who demonstrate they are taking cybersecurity seriously. This should include employee education in addition to properly managed, secured credential use.

A legacy of outsourcing IT projects: In recent decades, the government has been outsourcing IT projects with the goal of cutting costs and improving efficiency. But concerns over whether this has been achieved is bringing projects back in-house. Given the scale and number of projects that have been outsourced, public sector organisations must carefully manage this shift in ownership or gaps in security will emerge.

Skills shortage: The regularly-highlighted skills gap in the technology sector is only too evident in government. With lower budgets than the private sector, it struggles to attract and retain the already slim talent pool in the industry, leaving them more vulnerable to cyber threats. Furthermore, it means more contractors are hired to deliver on short-term projects. A revolving door of people coming in and out of organisations means there is a variety of diverse users with powerful admin access to sensitive data and control of the IT infrastructure. With a greater risk of insider threats, powerful IT admin accounts must be carefully managed, and employees regularly educated on best practice. 

Budget cuts impacting IT investment: As the government strives to reduce its debt, the public sector faces budget reductions across the board. This means government teams must be selective about which projects they invest in. Organisations cannot escape the need to protect and secure their systems, but there are some fundamental steps they can take to get the basics right and significantly reduce risk. The National Cyber Security Centre’s ‘10 Steps to Cyber Security’ provides some useful advice including monitoring, incident management, malware prevention and managing user privileges.

These points collectively result in hackers seeing government departments as ‘softer’ targets with more vulnerabilities that can be exploited. Steps are being taken to address this and, in June, the National Cyber Security Centre introduced four measures to improve public sector cybersecurity, to be implemented by departments and their arm’s length bodies. This includes straightforward advice on how to block malicious content from being accessed from government systems, how to block fake emails pretending to be from government, ways to address basic weaknesses in web-facing services, and a guide to removing bad content (such as phishing and malware) from the internet.

The government has also announced that it is investing £21m to bolster cybersecurity within the NHS, with 27 major trauma centres receiving funding to update IT systems, improve staff training and raise awareness of how to deal with cyber-threats. Tackling ransomware must be a top priority for NHS trusts, and they must start using application control at the file level, whitelisting good, known and trusted applications and blacklisting anything that’s unknown, not trusted or known to be bad. In the middle you have greylisting, where applications you’re not sure about can run in restricted mode - with limited access to files and data, no internet access and no access to network shares or servers. 

Taking this approach and combining it with tighter control over user privileges is the best way for the NHS to prevent one infected end-point from causing an organisational pandemic.

Managing privileged accounts, educating employees and ensuring there is a single view of all supplier contacts will ensure government departments can prevent threats at every opportunity, and avoid becoming the next high-profile victim of a cyber-attack.

Vikki Archer is head of Public Sector - UK&I for CyberArk



We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.