Difficult calls in public sector cybersecurity and service access
Public sector organisations are seeing their budgets squeezed, with tax receipts relative to the size of the economy in the UK and Ireland at their lowest since the COVID epidemic. Few departments or para-governmental bodies have been left unscathed by broad-ranging cuts in funding, so the ongoing quest to wring value from every tax pound (or Euro) has entered a critical stage.
Public sector organisations have to provide better value for citizens, yet are expected to offer the type of always-on, always-available services that people have come to expect from the large, privately-owned names in technology and, increasingly, every other sector too. There’s also been a natural rise in demand for the types of service and support the public sector offers – a rise caused by people increasingly struggling just to get by.
To combat the quandary of having to respond more rapidly, with better services yet with little budgetary room for manoeuvre, many public bodies are outsourcing and offshoring many of the backroom systems on which their services are built and delivered. While that can bring significant cost savings and increases in delivery efficiency, there’s a corresponding increase in cyber risk. In cybersecurity terms, attack surfaces presented to bad actors can grow with the addition of every external player in the mix. While that needn’t be the case, it’s certainly a consideration that’s in the mix in any IT leader’s decision-making process.
For the private sector, the motives of attackers tend to be monetary. In the public sector, some attackers try and penetrate systems for kudos or, on occasion, political gain. The IT function in the sector has had its share of cutbacks and budget constraints, and attackers have been quick to capitalise on the type of traffic that’s more prevalent during times of economic downturn: there’s been a marked spike in phishing campaigns, for example, around tax refunds, charitable donations, public grants and many of the same ilk.
The irony is that, as the needs of the citizen increase, those providing services funded by the taxpayer have to make access by the citizen as easy as possible by multiple routes. With a broad range of technical abilities across the average citizenry, any supplier of services has to provide several pathways by which services are found, accessed and delivered. That contrasts with the private sector (personal banking, for instance), which has more leeway to be stringent as it sees fit, placing security hoops through which customers have to jump to access services. The public sector sometimes has little choice but to operate at lower tolerances – a fact bad actors are well aware of.
Risk assessment and management has become a huge factor in the running of cybersecurity protection systems, therefore, and it can be unclear whether contracted third parties have the expertise and experience to make proper assessments. Longer-term partnerships with external partners go a long way to ensuring the right balance is found between, for instance, the ease of accessing multiple vital services and the cyber risk levels involved. There’s also the complex consideration of data compliance, especially when part of the remit of any service is data-sharing with other public and private sector bodies. In this area alone, public bodies must find external contractors whose methods have been battle-tested in similarly constrictive environments.
Companies that have worked with security services, law enforcement bodies, and government departments worldwide are fairly thin on the ground, at least, ones that don’t charge at sky-high rates only accessible by massive multinationals. In the public sector, where budgets are highly constrained, such companies are difficult to find.
In a recent episode of the Tech Means Business podcast, we discuss many of the issues discussed here with two security experts with extensive experience working with public sector organisations worldwide. The guests’ work at Wipro has seen them work alongside sensitive UK governmental agencies, security services and public bodies around the world.
There are specific considerations that need to be taken into account when working with UK public sector organisations, of course, yet hacking and cybersecurity are international activities in nature and take place on the borderless internet.
There may be slight differences in the aims of some bad actors targeting the public sector, but there’s little difference in methods of protection. SASE, for instance, is replacing a perimeter-based security approach, and a fragile VPN is the same construct in the public sector as it is in the commercial world – and just as unwieldy for large-scale remote working patterns.
Yet with the right approach and partnership frameworks in place, there’s no contradiction between the need for security and the scaling of accessible public sector services.
16 February 2024
15 February 2024