We are regularly confronted with reminders that the public sector is both a key target for cyber attacks, and woefully unprepared for them. The latest rude awakening came with the news that the UK Labour Party had been hit by a ‘cyber incident’, rendering a large number of its members’ and supporters’ data inaccessible and vulnerable. The incident, which affected a third-party IT supplier, bore the hallmarks of a ransomware attack, according to cyber security experts, where cyber criminals demand money to restore access to seized and encrypted data.
Given the value of data held by organisations across the public sector and the weight of reliance on public services, the sector has become especially vulnerable to cyber attacks that seek to maximise disruption for financial gain.
This threat is nothing personal, but it’s certainly nothing human either. A third of all ransomware breaches happen in hospitals, and even at the height of the pandemic, attackers exploited healthcare’s prevalence of overburdened staff and highly-sensitive personal data. Meanwhile, the infamous, international WannaCry ransomware attacks in 2017 affected an estimated 70,000 NHS devices in the UK, including computers and MRI scanners.
This isn’t to mention attacks on central infrastructure we all rely on daily. In the US, entire cities have been temporarily brought to their knees by attacks on government departments. The financial and social costs of outages to basic services have led several cities, such as Florida’s Riviera Beach, to resort to paying attackers their demands.
Why cyber crime groups are some of the world’s most effective startups
Now is the time to take control
Reminders that the public sector is vulnerable are no longer enough; they must serve as calls to action and for change. During the pandemic, cyber attacks in the UK spiked 20% in 2020 as attackers sought to leverage the disruption caused to routine and the increased reliance on digital services. Three-quarters of these attacks were targeted, with government bodies, industrial companies, science and education institutions the chief concern.
Now, as the public sector accelerates digital adoption and invests in digital transformation strategies to better engage with constituents and become intelligence-driven, it holds vast and growing swathes of highly personal data which, if accessed by the wrong people, could put individuals, services, even democracy, at risk.
To combat this threat, boosting cyber security awareness across governmental organisations continues to be a pressing priority and – with the majority of successful attacks traced back to social engineering or phishing campaigns – ultimately serves as the first, strongest and most cost-effective line of defence. Public bodies must routinely and rigorously ensure their people are empowered to play their part in recognising and protecting the organisation against potential security threats, by giving them the training, tools and knowledge required to do so.
Making the break from legacy IT
But training the troops to defend the ramparts only works if the foundations aren’t already crumbling. There is another issue that needs to be addressed and one that is much more deep-seated: legacy technology.
Many governmental organisations rely on outdated systems, choosing to retain platforms that are increasingly frustrating to use. Budgetary constraints and responsibility of public money can lead the public sector to veto new technology investments in favour of a ‘if it ain’t broke’ mentality.
Of course, stringing along outdated systems is a false economy. Built in a different era for different demands, legacy IT impedes the work of individuals, teams or entire organisations and often requires a complex estate of specialised and tailored legacy applications. Over time, these outdated ecosystems become more expensive to support, patch and update, consuming up to 50% of annual IT budgets, in the case of the UK government itself. On the flipside, newer systems, applications and platforms open a wealth of benefits, from bottom-line financial improvements, efficiency gains, or even the positivity of a much better user experience.
The problem is, the longer outdated technology is in place, the more difficult it is to replace. Rewriting those applications from scratch to ensure compatibility with modern platforms can be expensive and time consuming. While we can forgive the hesitance to commit to wholesale IT modernisation for so long, not only is this outdated technology becoming less effective as it ages and less likely to serve citizen’s needs over time, but more than ever, it’s putting those citizens at risk.
Legacy technology is leaving gaping holes in the security of IT systems. Perhaps one of the most ubiquitous examples of this came in 2020, with Microsoft ceasing support for Windows 7 – an operating system that was widely used across the public sector. Users had a choice of paying for extended support, upgrading to the latest version of Windows. Alternatively, they could stick with what they had and hope nothing happened. But that’s a big risk: a single, unpatched vulnerability can enable attackers to access all applications, middleware and databases running on the server platform. Without modern data backup and disaster recovery solutions, data won’t be sufficiently safeguarded. Organisations or departments operating under strict regulatory compliance standards face time-consuming and complex audits, and ultimately expensive fees and penalties, if their IT is not supported or sufficiently protected.
Public sector transformation: government departments rely upon ‘legacy’ systems
Forging the path forward
Breaking from legacy technology takes commitment and upfront expense, but public sector organisations don’t have to throw everything at it at once in order to begin making progress towards advanced and robust technology. They can take a measured approach that evaluates and identifies their most vulnerable systems, and provides the basis to a modernisation strategy that can be carefully and continually managed, and scaled as technology continues to play a greater part of day to day operations.
This requires identifying the most critical systems which the organisation relies upon. To do this, public bodies should look to work with digital partners that can help them identify which platforms may be vulnerable and to prioritise and plan where security patches can be made. They can also work to ensure that those solutions which can’t be updated are placed on a network segment of their own, so that data flows involving them can be strictly controlled and locked down if necessary, and prioritised for replacement where possible.
The public sector must realise that replacing legacy technology is a never-ending task, but it must begin with sincerity now. The sector has more solutions, tools, platforms and partners available to support them in their individual challenges than ever before.
If developing tools and services that enable public sector organisations to do a better job in meeting citizens’ changing expectations, and saving maintenance costs weren’t motivation enough, having the confidence that their systems are protecting members’ and citizens’ data, as well as city infrastructure, certainly should provide the impetus required to finally modernise. By acting at the earliest point and working with partners who can help implement necessary changes, public bodies from political parties through to government departments can create a safer digital future for themselves and Britain as a whole.