Defending local government
Change is ubiquitous within the world of cyber-security. The industry has a constantly evolving landscape of threats, each threat more sophisticated than the last and also becoming increasingly adept at bypassing traditional security solutions and going undetected.
Added to this, the swathe of high-profile data breaches in large private sector organisations during 2015 has increased the notoriety of online crime, bringing cyber-security into focus for both governments and businesses alike. Local government has, for the most part, remained out of the spotlight when it comes to cyber-attacks but with two well-known councils suffering significant incidents this year already, things are beginning to change.
Both Lincolnshire County Council and North Dorset District Council fell victim to ransomware attacks in 2016, the latter affecting over 6,000 files. Ransomware has become increasingly popular, with attackers not needing to steal information, just encrypt it and then sell access back to the owners.
Despite these incidents, it’s encouraging to see that elsewhere in the sector; there are some great examples of good practice in cyber-security. It could be argued that Leicester City Council have taken up the role of trailblazers in the sector, with the recent appointment of two ‘ethical hackers’.
Using the same arsenal of ‘dark arts’ employed by cyber criminals, these cyber experts will be tasked with ethically hacking into the council’s computer systems to find the weaknesses in the infrastructure in order for it to be strengthened. Among IT security circles, this is known as penetration testing and offers valuable insights into the state of an organisation’s defences.
While it’s positive to see Leicester City Council improving its IT security, penetration testing alone falls short of what is needed to defend against the legion of cyber criminals who are mounting attacks today and are looking for any opportunity to pilfer the wealth of sensitive data held by local councils.
In cyber-security the more access a network has, the more places critical information can be found, the easier it is for a cyber-criminal to find a weakness and exploit it. This is easier for the majority of private sector businesses, they can implement tighter restrictions on who can access their data and segregate whole areas of their network in order to reduce the number of access points through which an attack could penetrate the system.
The very nature of local government makes it both difficult to defend and an optimal target to attack; large quantities of sensitive data in constant transit across multiple bodies, much of which has the legal requirement of being accessible and transparent for constituents.
Security is not just about technology, there are people and process as well to build a complete critical information security strategy. Firstly, there needs to be a Data Protection and Handling Policy across every department and every organisation, and it needs to cover every individual from temporary staff to directors and CIOs (the extended enterprise). It’s vital that organisations educate their employees and foster an awareness on where they can and cannot move specific types of information and how they can move it securely.
Last year, our own data showed that almost 75% of security breaches came from within organisations’ own networks. The majority of these were not malicious, but inadvertent. All it takes is one person who does not know how to share information securely within the government network for it to fall into the wrong hands.
To ensure an organisation is secure relies on more than just training the staff. Security solutions should be used to back up the staff and the policies and can protect against data loss, but there needs to be a layering of these technologies for them to work effectively.
Many organisations just commission a firewall and virus scanners. Today these are not as effective against malware as they were even twelve months ago especially the next generation of evading malware, including ransomware. Security solutions are evolving and other organisations are using adaptive data loss protection (DLP) software, which not only polices the movement of sensitive data, preventing any unauthorised disclosure throughout a network but also protects against incoming malware hidden in innocuous looking documents. The next generation of adaptive DLP can automatically redact out the accidental inclusion of sensitive content in messages and documents as they pass in and out of an organisation’s network, leaving the rest of the content to travel unhindered.
With much of local government’s information being time critical information, unimpeded communication flow is required across all the communication channels, including email, the Internet and social media, which traditional DLP solutions are unable to provide but the next generation adaptive solutions can. Unfortunately there is no silver bullet when it comes to defending against cyber-attacks, a layered approach is required. Local councils have unique problems compared to the private sector which needs to be taken into account in the way they need to approach their security. Public sector organisations must think about their information security on a strategic as well as a tactical level.
A blend of education and careful application of technology around protecting critical information must be a real focus to keep up with, and stay ahead of, the threats of today.
Guy Bunker is senior vice president – products at Clearswift