Unlike the private sector, public sector organisations can’t justify IT spend to protect their profits. And yet, cyber attacks in the public sector are particularly destructive because they have the potential to impact so many lives.
When it comes to securing their networks, what public institutions have at their disposable is far outweighed by the tooling and techniques of their adversaries. Due also to the global pandemic, challenges such as remote work and learning, overloaded healthcare systems, and compromised security perimeters have been more commonplace than ever.
So what does the public sector need to know to better navigate the complex security landscape? How can they keep their data safe while performing and facilitating often vital work for members of the public?
Three cyber security experts and thought leaders share their experiences with security in the public sector.
In addition, our e-book series covers accessible information on what education, local government and healthcare providers can do to better their resilience.
For many years, our clients and customers have asked me about personal health data. “Isn’t it true that health data is one of the prime targets of hackers? Isn’t it true that they’re after my medical history?”, they have asked. For years my answer has been: “No, it’s not.”
Around 99% of the cases we investigate at F-Secure Labs are criminals who are trying to make money. My thinking has been that if you’re trying to make money, your prime target is financial information like credit card data, not X-ray images.
But now I’m changing my mind.
The reason is the rise in attacks against hospitals, medical research units, and even patients that we’ve seen during the pandemic – in particular, the October attack against the Psychotherapy Center Vastaamo in Finland, in which sensitive information related to tens of thousands of patients was compromised.
The Vastaamo case is a prime example of an attacker who is motivated by money and attempting to monetise personal data by directly blackmailing patients instead of institutions. It takes a ruthless attacker to target heath data in general, but we have only seen a handful of attackers around the world who are evil enough to target patients directly.
Going after individuals as opposed to institutions and companies is not a trend yet, but we are seeing indicators that it could become a trend in the near future. I’m worried about this. The Chief Research Officer at F-Secure is worried about this trend, so you probably should be too.
The bulk of attacks targeting the healthcare sector are still perpetrated against institutions, and most are ransom Trojans. This usually involves a disruption like shutting down operations and demanding: “Pay us money if you want to continue saving lives.” We have seen a number of ransom Trojan attacks during the pandemic, most importantly Ryuk. Ryuk attacks have hit dozens of hospitals and healthcare organisations during the pandemic, particularly across the US, where COVID-19 has pushed hospitals and healthcare organisations and staff to the brink of collapse.
If you’re purely looking for profit, targeting hospitals in the middle of a pandemic is a great idea because they have to continue operations no matter what. Clearly, there are people out there who are willing to capitalise on this opportunity.
When the pandemic hit in March of 2020, I posted a public message to ransomware gangs telling them “Stay away from hospitals during the pandemic.” I wasn’t expecting much of a response, but I did get a response. Five organised crime gangs went on the record saying “Ok, fair enough. We won’t go after hospitals during the pandemic.” This was a nice surprise, but you can’t really trust a response given by professional criminals. And indeed, we have seen attacks against hospitals, medical institutions and patients.
Health data has always been an easy target for threat agents because it’s typically not well protected. Most medical systems are publicly funded, which means the world’s health data is often stored in old legacy systems running outdated operating systems. Attackers have always had easy access to these systems. Now that they are beginning to use it, the need to protect some of our most private and sensitive data is more urgent than ever.
So what will it take to keep the world’s health data safe in the future? Money, for starters. But it’s complicated.
In 2017, WannaCry ransomware hit the UK’s National Health Service (NHS) particularly hard. The root cause was obvious – decades of budget cuts. Most of the systems in use by the NHS were running Windows XP in 2017, which is inexcusable. As a result of WannaCry, the NHS was forced to cancel some 19,500 appointments and 600 surgeries. Hospitals, staff and, most importantly, patients suffered.
The WannaCry attack caused such massive problems that the NHS was granted a sizeable budget increase to fix the biggest problems that had allowed the attack to happen. The fact that it took a huge failure for politicians to deliver the budget the NHS needed highlights one of the biggest conundrums in cyber security: freeing up needed budgets in response to a disaster instead of as a means of preventing disasters from happening in the first place. When we do our job right as cyber security experts, our successes are invisible. When we fail, our failures are highly visible.
“It’s a hard game to play when you need to fail in order to get recognised.”
Another problem is that health data isn’t like corporate data, which is stored for a relatively short period and can then either be destroyed or made public. Health data needs to remain accessible, secure and private forever. And with limited budgets and legacy systems, this is a massive challenge that we are only now beginning to grasp.
The bottom line is that our health data is now a target for blackmail and other types of attacks. Solving this massive challenge will require a shift in attitude on many levels. And it is definitely not a problem that anyone can tackle alone. It will require both a deeper understanding of this emerging and growing threat and the willingness to address it on all possible levels.
The knowledge, insight and actions of cybersecurity professionals are a big part of the solution, but the only way to solve the problems we face is together.
“If you think about corporate emails, they become historical records in around 20 years. Health data needs to be accessible and safe forever.”
The UK government has made a huge effort to support the SME landscape by awarding more contracts to smaller firms. In 2017 it announced £3bn of IT investment over four years through the Technology Services 2 Framework, with SMEs expected to make up more than 60% of suppliers.
Such investments alert attackers who, in most instances, are after easy financial gains. Although they do not care whether a company is public or private, they see public sector targets as having a soft underbelly. Paul Burrows, CEO of Kryptokloud, an F-Secure Platinum Partner in the UK, believes this perception is correct: “We think that public sector organisations are at 70% greater risk than private organisations,” says Paul, and there are a few reasons for this:
In mid-November 2020, KryptoKloud (Paul himself) received a call from Lincoln College at approximately 2am. The college had reason to believe they were being cyber attacked.
KryptoKloud’s Incident Response (IR) team met with the college within hours and began the process of immediately assisting in containing the attack. This case is instructive because although the college’s IT staff did many things right, there were processes missing and things they could improve upon.
Like most organisations, Lincoln College did not have a robust and tested incident response plan in place. This made it difficult for them to quickly action containment measures applicable to specific processes and technology. However, the college made the right call by contacting KryptoKloud immediately and listening to and acting on the IR team’s advice throughout the entire process to the letter.
To their credit, Senior Management including IT Leadership and Staff at Lincoln College, adhered to a well-defined management structure, which allowed them to make decisions fast. However, and as is the case with most incidents, a response plan would have ensured a near automatic release of the first steps of containment, even before contacting an IR provider.
After the containment and investigation phases of the incident response activity, KryptoKloud was able to get Lincoln College back to “Business as Usual” within 13 days of the initial call. However, Lincoln College still had a further 21 days of grueling remedial work with their internal IT team. Having led the Incident Response, KryptoKloud ensured that all 3rd Party alignments and cooperation with outside agencies such as insurance bodies, ICO, Police and National Cyber Crime Agencies were fully informed, and all breach reporting requirements were carried out. This ensured that final insurance payments were secured. It is also interesting to note here that cyber insurance providers will only pay for repairing the impact of a breach and not for improvements to your defense(s) or any system hardening measures.
Finally, in addition to the containment, investigation and response phases of the recovery, KryptoKloud assisted the college with the reporting and other compliance aspects of the breach, as well as assisting in public communications. What an organisation says and does in the wake of a breach are indeed critical to its future reputation.
Lincoln College were very quick to recognise the shortcomings of their sector’s approach to cyber security. All education facilities must consider new ways to tackle the common issues highlighted above.
For example, because universities and colleges are generally not able to attract or retain the kind of security talent found in the private sector, innovative apprentice programmes with participating cyber / security firms should be considered to help build skills. This eases the problem around the global cyber security skills shortage. In this regard, KryptoKloud assists with the training of junior cyber analysts who then work for the colleges or universities for a given period of time – enhancing their technical teams.
“It’s a good development opportunity for the apprentices – who gain real world cyber experience in cyber operations as well as receiving a great apprenticeship with a Level 4 Award at the end. Without doubt, this is a great return on investment for both colleges and universities.”
In addition, there are some key takeaways for all public sector organisations thinking about improving their defense:
Of course, getting the right technology is also important, but a good managed service provider will be able to support you with that. KryptoKloud utilises F-Secure technology because they recognise the quality of the products.
“We’re an independent service provider so we do our own analysis of the different vendors and F-Secure’s tech comes out head and shoulders above the rest,” says Paul.
KryptoKloud has built out its MSP offering using F-Secure technology and has even taken a lead on sharing what they’ve learned with other partners trying to do the same.
F-Secure Elements has been designed specifically to support partners with building out an MSP offering. It is our all-in-one cyber security platform that lets partners build and manage services more efficiently, by putting everything into a single console.
At a time when most sectors are struggling with disrupted operations and an increasing volume of incoming cyberattacks, the public sector has more challenges than most. On the central government level, there has been a global increase in nation-state attacks such as the SolarWinds hack that struck multiple US agencies and contractors.
Locally, authorities are reportedly being bombarded with up to 800 attacks a day, with a particular increase in ransomware attacks aiming to coerce payments out of councils by crippling their services. Several local authorities have fallen victim over the last year, with a particularly high-profile attack on Redcar and Cleveland Borough Council costing more than £10m to resolve.
These mounting threats mean that public sector bodies present an ideal opportunity for managed security service providers, particularly those that can forge a strong strategic relationship and help optimise their defences with a limited budget.
Indeed, research has found there has been an increase in government cybersecurity contracts. This aligns with F-Secure’s findings that 81 percent of organisations are planning to increase their security budgets in the next 12 months. Public sector bodies preparing their security budgets for the coming year should be considering the value of taking third party service providers alongside inhouse investments.
A full in-house team of security specialists armed with the latest technology is beyond the means of all but the largest of private sector organisations – let alone public sector bodies that are already facing tough limits on their budgets. Partnering with a specialist third party security provider will sidestep most of these challenges, as it transitions security from being a capex issue into an opex solution. This means organisations can access the latest security solutions as needed, without having to invest a huge chunk of their budget upfront.
Equally important to the technology is access to the advanced skills and experience needed to use them effectively. Most security tools are only truly effective with a skilled team of humans behind them. For example, while an organisation might budget for an endpoint detection and response (EDR) solution, it will need a managed security service provider (MSSP) to respond to alerts and mitigate the threat.
MSSPs don’t simply provide a team to sit behind their computers and monitor for threats, either. The best partners offer a strong consultative element, helping the organisation to plan and implement long security strategies. This can be particularly useful when it comes to complying with regulations such as the GDPR or meeting the needs of the Cyber Essentials scheme.
Any public sector organisation seeking an MSSP will not have to look far as the market is large and growing rapidly. However, it is important to ensure that the chosen partner will be a good fit and will be able to meet short- and long-term goals.
Agility is one of the most important assets in a security partner, as they must have the ability adapt and implement new technology and services in response to changing needs. Likewise, flexibility is important on the contractual side of things – particularly with the on-going uncertainty of the pandemic. Having a flexible contract that makes it easy to ramp up or scale back provisions as needed can make all the difference.
Finally, transparency and trust are key. Ideally an MSSP should operate as a true partner and adviser rather than as a transactional relationship. This means being honest and open about what is happening in the IT network and the wider security landscape, even if it might not be profitable to do so.
While public sector bodies on both a local and central level will continue to face serious cyber threats, the expertise of a trusted security partner can make all the difference in keeping secure.
*Original article written by THINK.DIGITAL PARTNERS based on an interview with Dean Porter
Our e-book series below, covers accessible information on what education, local government and healthcare providers can do to better their resilience.