Securing the public sector
in 2021 and beyond

Three cyber security leaders consider how public sector organisations should address security

What makes the public sector vulnerable to attack and what can be done to address this?

Unlike the private sector, public sector organisations can’t justify IT spend to protect thier profits. And yet, cyber attacks in the public sector are particularly destructive because they have the potential to impact so many lives.

When it comes to securing their networks, what public institutions have at their disposable is far outweighed by the tooling and techniques of their adversaries. Due also to the global pandemic, challenges such as remote work and learning, overloaded healthcare systems, and compromised security perimeters have been more commonplace than ever. 

So what does the public sector need to know to better navigate the complex security landscape? How can they keep their data safe while performing and facilitating often vital work for members of the public?  

Three cyber security experts and thought leaders share their experiences with security in the public sector.

In addition, our e-book series covers accessible information on what education, local government and healthcare providers can do to better their resilience.

Article #1

Our health data is under attack

Mikko Hypponen
Chief Research Officer, F‑Secure

Read more

Article #2

Supporting public sector organisations in the current threat landscape

Paul Burrows
CEO, KryptoKloud UK

Read more

Article #3

Why a managed security provider could help the public sector mitigate cyber threats

Dean Porter
Regional Sales Manager, F-Secure UK

Read more

Article #1

Our health data is under attack

Mikko Hypponen

Chief Research Officer, F‑Secure

For many years, our clients and customers have asked me about personal health data. “Isn’t it true that health data is one of the prime targets of evil hackers? Isn’t it true that they’re after my medical history?”, they have asked. For years my answer has been: “No, it’s not.”

Around 99% of the cases we investigate at F-Secure Labs are criminals who are trying to make money. My thinking has been that if you’re trying to make money, your prime target is financial information like credit card data, not X-ray images. 

But now I’m changing my mind. 

The reason is the rise in attacks against hospitals, medical research units, and even patients that we’ve seen during the pandemic – in particular, the October attack against the Psychotherapy Center Vastaamo in Finland, in which sensitive information related to tens of thousands of patients was compromised.

The Vastaamo case is a prime example of an attacker who is motivated by money and attempting to monetizing personal data by directly blackmailing patients instead of institutions. It takes a ruthless attacker to target heath data in general, but we have only seen a handful of attackers around the world who are evil enough to target patients directly.  

Going after individuals as opposed to institutions and companies is not a trend yet, but we are seeing indicators that it could become a trend in the near future. I’m worried about this. The Chief Research Officer at F-Secure is worried about this trend, so you probably should be too.

The bulk of attacks targeting the healthcare sector are still perpetrated against institutions, and most are ransom Trojans. This usually involves a disruption like shutting down operations and demanding: “Pay us money if you want to continue saving lives.” We have seen a number of ransom Trojan attacks during the pandemic, most importantly Ryuk. Ryuk attacks have hit dozens of hospitals and healthcare organizations during the pandemic, particularly across the US, where COVID-19 has pushed hospitals and health care organizations and staff to the brink of collapse.

If you’re purely looking for profit, targeting hospitals in the middle of a pandemic is a great idea because they have to continue operations no matter what. Clearly, there are people out there who are willing to capitalize on this opportunity. 

When the pandemic hit in March of 2020, I posted a public message to ransomware gangs telling them “Stay away from hospitals during the pandemic.” I wasn’t expecting much of a response, but I did get a response. Five organized crime gangs went on the record saying “Ok, fair enough. We won’t go after hospitals during the pandemic.” This was a nice surprise, but you can’t really trust a response given by professional criminals. And indeed, we have seen attacks against hospitals, medical institutions and patients and patients.

A massive challenge

Health data has always been an easy target for threat agents because it’s typically not well protected. Most medical systems are publicly funded, which means the world’s health data is often stored in old legacy systems running outdated operating systems. Attackers have always had easy access to these systems. Now that they are beginning to use it, the need to protect some of our most private and sensitive data is more urgent than ever.

So what will it take to keep the world’s health data safe in the future? Money, for starters. But it’s complicated.

In 2017, WannaCry ransomware hit the UK’s National Health Service (NHS) particularly hard. The root cause was obvious – decades of budget cuts. Most of the systems in use by the NHS were running Windows XP in 2017, which is inexcusable. As a result of WannaCry, the NHS was forced to cancel some 19,500 appointments and 600 surgeries. Hospitals, staff and, most importantly, patients suffered.

The WannaCry attack caused such massive problems that the NHS was granted a sizable budget increase to fix the biggest problems that had allowed the attack to happen. The fact that it took a huge failure for politicians to deliver the budget the NHS needed highlights one of the biggest conundrums in cyber security: Freeing up needed budgets in response to a disaster instead of as a means of preventing disasters from happening in the first place. When we do our job right as cyber security experts, our successes are invisible. When we fail, our failures are highly visible. 

“It’s a hard game to play when you need to fail in order to get recognized.”

Another problem is that health data isn’t like corporate data, which is stored for a relatively short period and can then either be destroyed or made public. Health data needs to remain accessible, secure and private forever. And with limited budgets and legacy systems, this is a massive challenge that we are only now beginning to grasp. 

The bottom line is that our health data is now a target for blackmail and other types of attacks. Solving this massive challenge will require a shift in attitude on many levels. And it is definitely not a problem that anyone can tackle alone. It will require both a deeper understanding of this emerging and growing threat and the willingness to address it on all possible levels. 

The knowledge, insight and actions of cybersecurity professionals are a big part of the solution, but the only way to solve the problems we face is together. 

“If you think about corporate emails, they become historical records in around 20 years. Health data needs to be accessible and safe forever.”

New episode of Cyber Security Sauna podcast: Ransomware 2.0, with Mikko Hypponen

Article #2

Supporting public sector organisations in the current threat landscape

Paul Burrows

CEO, KryptoKloud UK

Why is the public sector at risk?

The UK government has made a huge effort to support the SME landscape by awarding more contracts to smaller firms. In 2017 it announced £3bn of IT investment over four years through the Technology Services 2 Framework, with SMEs expected to make up more than 60% of suppliers.

Such investments alert attackers who, in most instances, are after easy financial gains. Although they do not care whether a company is public or private, they see public sector targets as having a soft underbelly. Paul Burrows, CEO of Kryptokloud, an F-Secure Platinum Partner in the UK, believes this perception is correct: “We think that public sector organisations are at 70% greater risk than private organisations,” says Paul, and there are a few reasons for this:

  • Firstly, and perhaps most importantly, private sector organisations know better what they need to do to protect their business and can usually find available budget and plan accordingly. It has been muted many times that the public sector “knows the cost of everything and the value of nothing,” but unfortunately, this has some resonance here. Things are slowly improving but obtaining budget for cyber security and planning for it are often still regarded as too complicated.
  • Secondly, there are now state-sponsored ransomware groups that have been tasked with undertaking recon ops to specifically target public sector organisations. We have seen this in several public sector industry segments, most notably further education - where there has been a recent dramatic increase in cyber-attacks against UK Colleges, Universities and in the sector as a whole.
  • Thirdly, many public sector organisations will be focused on making their digital experience as easily accessible to the public as possible, which has the drawback of making them more vulnerable to attack – it is always a balance to ensure the enhanced “end user experience” is also well controlled and secure.
  • Finally, the public sector struggles to attract the talent (internally) in terms of security professionals. This one is again linked to budget as well, but also to business priorities. Maybe they hire one IT Architect, who is also multi-tasked as a Security and or Network Architect and they will (unfairly) expect them to know and implement everything alone, which is simply not realistic.

Lessons from Lincoln College

In mid-November 2020, KryptoKloud (Paul himself) received a call from Lincoln College at approximately 2am. The college had reason to believe they were being cyber attacked.

KryptoKloud’s Incident Response (IR) team met with the college within hours and began the process of immediately assisting in containing the attack. This case is instructive because although the college’s IT staff did many things right, there were processes missing and things they could improve upon.

Like most organisations, Lincoln College did not have a robust and tested incident response plan in place. This made it difficult for them to quickly action containment measures applicable to specific processes and technology. However, the college made the right call by contacting KryptoKloud immediately and listening to and acting on the IR team’s advice throughout the entire process to the letter.

To their credit, Senior Management including IT Leadership and Staff at Lincoln College, adhered to a well-defined management structure, which allowed them to make decisions fast. However, and as is the case with most incidents, a response plan would have ensured a near automatic release of the first steps of containment, even before contacting an IR provider.

After the containment and investigation phases of the incident response activity, KryptoKloud was able to get Lincoln College back to “Business as Usual” within 13 days of the initial call. However, Lincoln College still had a further 21 days of grueling remedial work with their internal IT team. Having led the Incident Response, KryptoKloud ensured that all 3rd Party alignments and cooperation with outside agencies such as insurance bodies, ICO, Police and National Cyber Crime Agencies were fully informed, and all breach reporting requirements were carried out. This ensured that final insurance payments were secured. It is also interesting to note here that cyber insurance providers will only pay for repairing the impact of a breach and not for improvements to your defense(s) or any system hardening measures.

Finally, in addition to the containment, investigation and response phases of the recovery, KryptoKloud assisted the college with the reporting and other compliance aspects of the breach, as well as assisting in public communications. What an organisation says and does in the wake of a breach are indeed critical to its future reputation.

Areas for improvement

Lincoln College were very quick to recognise the shortcomings of their sector’s approach to cyber security. All education facilities must consider new ways to tackle the common issues highlighted above.

For example, because universities and colleges are generally not able to attract or retain the kind of security talent found in the private sector, innovative apprentice programmes with participating cyber / security firms should be considered to help build skills. This eases the problem around the global cyber security skills shortage. In this regard, KryptoKloud assists with the training of junior cyber analysts who then work for the colleges or universities for a given period of time – enhancing their technical teams.

“It’s a good development opportunity for the apprentices – who gain real world cyber experience in cyber operations as well as receiving a great apprenticeship with a Level 4 Award at the end. Without doubt, this is a great return on investment for both colleges and universities.”

In addition, there are some key takeaways for all public sector organisations thinking about improving their defense:

  • Have an Incident Response (IR) plan in place. Lincoln College made up for their lack of a formal plan with a clear, senior management structure that allowed the CEO to make quick decisions – following the advice of their IR provider. Not all organisations are so lucky; if there are several stakeholders acting independently it can significantly hinder the speed of response. This can be avoided by agreeing on the internal ‘people’ component of the organisation’s IR plan beforehand.
  • Consider using a Managed Service Provider (MSP). For many public sector organisations, it will be more efficient both operationally and financially. Many organisations purchase from a vendor (install the software) and think they’ve done enough, but it’s not just the tech, it’s the processes and people involved that are extremely important and add the value.
  • Do your homework on providers. Much like a garage, it is often not until things go wrong that you know whether you’ve chosen a good one. But there is support available. The National Cyber Security Centre provides guidance within the public sector and will have a list of recommended providers as does the newly formed regional Cyber Resilience Centres. In addition, the Institute of Directors (IoD), although a private sector-oriented institution, also has a wealth of information available.

Of course, getting the right technology is also important, but a good managed service provider will be able to support you with that. KryptoKloud utilises F-Secure technology because they recognise the quality of the products.

“We’re an independent service provider so we do our own analysis of the different vendors and F-Secure’s tech comes out head and shoulders above the rest,” says Paul.

KryptoKloud has built out its MSP offering using F-Secure technology and has even taken a lead on sharing what they’ve learned with other partners trying to do the same.

F-Secure Elements has been designed specifically to support partners with building out an MSP offering. It is our all-in-one cyber security platform that lets partners build and manage services more efficiently, by putting everything into a single console.

Learn more about F-Secure Elements.

Article #3

Why a managed security provider could help the public sector mitigate cyber threats*

Dean Porter

Regional Sales Manager, F-Secure UK

What are the security challenges facing the public sector?

At a time when most sectors are struggling with disrupted operations and an increasing volume of incoming cyberattacks, the public sector has more challenges than most. On the central government level, there has been a global increase in nation-state attacks such as the SolarWinds hack that struck multiple US agencies and contractors.

At local scale, authorities are reportedly being bombarded with up to 800 attacks a day, with a particular increase on ransomware attacks aiming to coerce payments out of councils by crippling their services. Several local authorities have fallen victim over the last year, with a particularly high-profile attack on Redcar and Cleveland Borough Council costing more than £10m to resolve.

These mounting threats mean that public sector bodies present an ideal opportunity for managed security service providers, particularly those that can forge a strong strategic relationship and help optimise their defences with a limited budget.

Indeed research has found there has been an increase in government cybersecurity contracts. This aligns with F-Secure’s findings that 81 percent of organisations are planning to increase their security budgets in the next 12 months. Public sector bodies preparing their security budgets for the coming year should be considering the value of taking third party service providers alongside inhouse investments.

How can a partner help?

A full in-house team of security specialists armed with the latest technology is beyond the means of all but the largest of private sector organisations – let alone public sector bodies that are already facing tough limits on their budgets. Partnering with a specialist third party security provider will sidestep most of these challenges, as it transitions security from being a capex issue into an opex solution. This means organisations can access the latest security solutions as needed, without having to invest a huge chunk of their budget upfront.

Equally important to the technology is access to the advanced skills and experience needed to use them effectively. Most security tools are only truly effective with a skilled team of humans behind them. For example, while an organisation might budget for an endpoint detection and response (EDR) solution, it will need a managed security service provider (MSSP) to respond to alerts and mitigate the threat.

MSSPs don’t simply provide a team to sit behind their computers and monitor for threats, either. The best partners offer a strong consultative element, helping the organisation to plan and implement long security strategies. This can be particularly useful when it comes to complying with regulations such as the GDPR or meeting the needs of the Cyber Essentials scheme.

Finding the right partner

Any public sector organisation seeking an MSSP will not have to look far as the market is large and growing rapidly. However, it is important to ensure that the chosen partner will be a good fit and will be able to meet short- and long-term goals.

Agility is one of the most important assets in a security partner, as they must have the ability adapt and implement new technology and services in response to changing needs. Likewise, flexibility is important on the contractual side of things – particularly with the on-going uncertainty of the pandemic. Having a flexible contract that makes it easy to ramp up or scale back provisions as needed can make all the difference.

Finally, transparency and trust are key. Ideally an MSSP should operate as a true partner and adviser rather than as a transactional relationship. This means being honest and open about what is happening in the IT network and the wider security landscape, even if it might not be profitable to do so.

While public sector bodies on both a local and central level will continue to face serious cyber threats, the expertise of a trusted security partner can make all the difference in keeping secure.

*Article originally written by THINK.DIGITAL PARTNERS based on an interview with Dean Porter

Let us be your backup – if you’re lacking in something, we’ve got you covered

Partnering with F-Secure means you get access to our latest AI innovations that are aligned with our portfolio. Built with the partner in mind, our global Partner Program will allow you to easily scale your offering by choosing the elements that best suit your needs.

E-book series

Our e-book series below, covers accessible information on what education, local government and healthcare providers can do to better their resilience.   

E-book

Protecting healthcare from cyber attack

F-Secure's Healthcare report is a must-read for security professionals working to protect critical services and data in this sector.

Download

E-book

Protecting the education sector from cyber attack

Higher education cyber security report in the UK, focused on the most common attacks and what higher education providers can do to protect themselves from cyber attacks

Download

E-book

Protecting local government from cyber attack

A F-Secure e-book detailing the types of cyber attacks pervading local councils. What can be done to mitigate the risk imposed by cyber criminals is considered in lieu of the challenges facing local councils today.

Download