Cybersecurity was already on the board agenda of UK public sector organizations before Covid-19.
Chris Naylor, outgoing Managing Director of the London Borough of Barking and Dagenham, assesses risks on two dimensions: their likelihood and their potential impact during a cybersecurity panel at New statesman and Technical instructorrecent Symposium on Public Sector Technologies. Over the past five years, cybersecurity risk has climbed in both rankings, Naylor explained. “As a result, this has got a lot more of my attention.”
But the pandemic and the accompanying ransomware episode have put the preparedness of the UK public sector to the test. This preparation turned out to be a “mixed record,” said Jonathan Lee, UK director of public sector relations at panel sponsor Sophos. Collaboration between government and the cybersecurity industry has helped public sector organizations improve their preventive stance against threats, Lee said, but “I think we can do better.”
Cyber security in the public sector: information overload
Adrian Boylan, IT manager at Moorfields Eye Hospital NHS Foundation Trust, said that while awareness of cybersecurity issues has improved dramatically in recent years in the public sector, many small organizations do not have the resources to do so. in the face of all the threats they face. And while there is a wealth of advice and information available from government agencies and vendors, it can be overwhelming, he added.
Likewise, Boylan said, adhering to cybersecurity guidelines and frameworks can be overwhelming for small organizations, especially when added to the practical work of securing and monitoring computer systems. “Perhaps we should move away from the more resource-intensive annual exercise of asserting that we are following theoretical guidelines or points of principle and returning to a practical assessment.” [of cybersecurity],” he said.
Respond to cybersecurity threats
If it wasn’t already evident, the ongoing ransomware outbreak has made it clear that cybersecurity threats have changed dramatically over the past decade. Defenses also need to evolve, Lee said.
The human dimensions of cybersecurity are vital, not only to prevent breaches, but also to detect and respond to them, explained Shelton Newsham, UK Health Security Agency information security officer and former cybercrime police officer. When it comes to IT security technical teams, a range of perspectives and experiences is essential. “Having someone who is technically aware but not technical is really, really important,” he explained. “They will spot things that people with real technical abilities who are immersed in trying to contain an incident [may not]. These ‘technically savvy’ personnel can often help police attribute attacks and, in some cases, identify attackers.
Non-IT staff, meanwhile, also play an equally vital role in incident response, Newsham said.
Bad news to share? Build your trusted bank
How should public sector IT leaders communicate security risks to senior management? Naylor shared his approach to keeping risk awareness ongoing: a monthly insurance board meeting, where heads of strategic departments, including cybersecurity, raise risks that need to be addressed. “In essence, I leave the burden of judgment on them to tell me what they think I need to know,” he said. More importantly, he asks that department heads not only describe the risk, but identify a call to action. “I need to know the consequences of what I hear,” he says. “It’s not good enough for people to say, ‘Well, this thing happened.’ What I really want to know is, what do you want me to do about it?”
This meeting can provoke difficult conversations. During a secondment to Birmingham City Council, Naylor was asked for £ 20million to tackle cybersecurity issues. “Sometimes I don’t want to hear it,” he said. But “we have to hear it and we have to create spaces to hear it”.
And when an IT manager needs to raise a cybersecurity issue that requires an immediate and in-depth response, it helps build trust within the organization. “Trust your trusted bank so that when you need to pull the leverage, they’re ready to hear from you,” advises Naylor. “If you’re running a tight ship in your IT department, [it] builds the confidence of people like me, so that when you come to us with a request for additional funding, resources or action, we are in the open space to respond.
Home page image by tzahiV / iStock
Pete Swabey is editor-in-chief of Technical instructor.