At the start of the pandemic, IT teams in the public sector faced similar challenges to their private-sector counterparts – working quickly to develop and introduce remote working strategies so the wheels of government didn’t grind to a halt. At the same time, the need to improve interactions with the public rapidly accelerated the move towards digital government.
As a result, public services experienced a huge transition to the cloud, as public sector organisations were able to leave behind ageing, legacy platforms, in favour of adopting shared services and new technologies such as Microsoft 365, to enable better communication and collaboration between colleagues and the public alike. But, while the cloud has been an invaluable tool over the last year and is considered a key enabler of the government’s aims for digital transformation and data-driven initiatives, if security measures fail to keep pace, transformation initiatives could become more of a hindrance than a help.
The dangers of rapid digital innovation
When organisations introduce new solutions to their technology stack, protection capabilities need to be extended to cover it. But faced with a global pandemic that no one could’ve seen coming, businesses needed to innovate fast, and their security measures failed to keep pace. This created a vulnerability lag, where systems and data have been left unprotected and open to attack. Veritas’ Vulnerability Lag Report explores how this gap between innovation and protection is affecting a variety of organisations, public and private; only three-fifths (61%) believe their organisation’s security measures have fully kept up since the implementation of COVID-led digital transformation initiatives. This means 39% are experiencing some form of security deficit.
While such swift digital transformation has delivered a wealth of benefits for public sector organisations, there is a dark side to this accelerated innovation. In the rush to digitally transform, security has taken a back seat. As a result, there may be significant gaps just waiting for cyber criminals to exploit for their own gain.
In the UK, nine in ten organisations have experienced downtime in the last 12 months as a result of cyber breaches. Much of this disruption took the form of ransomware; the average organisation experienced 2.57 ransomware attacks that led to downtime with 14% having been hit five times, or more.
Lindy Cameron, head of the National Cyber Security Centre (NCSC) said in October this year that ransomware “presents the most immediate danger to the UK”. A series of ransomware attacks on public sector institutions, from Hackney Council to Redcar and Cleveland Borough Council have seen services taken down, data leaked, and millions of pounds lost.
Public sector transformation: government departments rely upon ‘legacy’ systems
Where do we focus to close the Vulnerability Lag?
As criminals continue to seek to exploit organisations’ security gaps, where do public sector IT leaders need to focus?
The UK government expects all public sector organisations to follow its Minimum Cybersecurity Standard (MCSS) and advocates a ‘cloud first’ policy, which directs that the central government must consider the use of public cloud environments before looking at alternatives. But with the need to rapidly deploy cloud services to keep public services operable at the start of the pandemic, many are now on the back foot when it comes to cloud management.
While 80% of those surveyed had implemented or expanded cloud capabilities as a result of the pandemic, just 58% said they could confidently state the number of cloud services currently in use in their organisation. And this lack of internal insight extends further; only 65% of organisations’ stored data is classified or tagged. Over a third is ‘dark’ – it is not known what this data is, let alone where it is stored.
A comprehensive data protection strategy requires a thorough understanding of the data that needs to be protected. How can institutions protect what they can’t see? These kinds of blind spots are a beacon to cyber criminals relentlessly focused on finding weaknesses.
But that’s only half of the problem. Let’s say that data transparency isn’t an issue – you know exactly where your data is stored within your multi-cloud architecture. But do you understand where your responsibilities lie? As has been the case for too many cloud customers, not all third-party cloud contracts are read or understood in as fine detail as one would hope. In fact, previous Veritas research found that most organisations still believe that their cloud service provider (CSP) is responsible for data protection and data privacy.
However, the majority of CSPs’ end-user license agreements contain clear clauses that it is the customer who is responsible for protecting their data. The question is, how can public sector organisations even start to realise their responsibilities – and the gaps in these responsibilities – when they don’t even know how many cloud services they’re using, or the data stored on them?
Harnessing digital technology in the public sector can only be achieved by taking a more proactive approach to data management built on visibility and standardisation. For the public sector, this also means creating data protection strategies that cover shared services, ensuring critical data is backed up and secure, while remaining in compliance with regulatory regimes and legal requests – this can be as challenging as it sounds when visibility is lacking.
What is clear from our research is that the public sector cannot take its foot off the peddle when it comes to closing the vulnerability lag created by COVID-led digital transformation initiatives. In the race to ensure data security catches up with innovation, illuminating dark data, taking responsibility for cloud services and workloads and having a comprehensive data protection plan in place will be the key to driving out the risk.
Written by Barry Cashman, regional vice-president for UK and Ireland at Veritas Technologies