How to improve cyber security in local government

Many of the most significant cyber security challenges are surmountable with a layered security strategy, the correct tools, and the appropriate cloud partners, writes Mark Scott

2020 caused major disruption to both our physical and digital worlds. With many local authority employees forced into dispersed and virtual settings, we’ve seen the swift adoption of remote systems and networks to enable collaborative working and more agile processes. However, this rapid transition has also exposed a range of security vulnerabilities from securing remote access to targeted phishing campaigns, giving cyber criminals the opportunity to exploit the uncertainty brought about by the pandemic and cause chaos.

Over the past year, the sophistication of threats has quickly increased, evolving to harness techniques that make attacks harder to spot and breaching even the most resilient systems. Latest government figures published in the Cyber Security Breaches Survey 2021 show that there has been an increase in the number of phishing attacks over the past year.

Undoubtedly, the pandemic has prompted an accelerated adoption of cloud technologies. New solutions were spun up almost overnight and they have played an instrumental role in maintaining operational resilience and enabling local authorities to continue delivering vital frontline services to citizens. For many, the disruption has been a catalyst for change and brought home the need for greater flexibility, scalability and a robust IT infrastructure.

While the promise of cloud is enormous, even accelerated cloud migration projects need to be well thought out. Ultimately, organisations need to strike a balance between making the most of the efficiencies modern cloud-based environments bring, whilst ensuring that the pace of uptake is never at the expense of security for users and, above all else, the citizens they serve.

Cloud governance considerations
Given the challenges that local authorities face, from budget constraints to digital capabilities and compliance, now is a good time to take a step back and check that those newly implemented solutions have been bedded in correctly and are right for the long-term.

This is where data governance considerations come into play. It’s important that sensitive data is stored and managed in line with regulatory requirements - not only to maintain compliance but also to mitigate security concerns. Local authorities need to maintain strict control over sensitive data and retain the ability to delete or destroy that data when required. A lack of effective data governance is a worry, mainly because poorly structured data makes it much more difficult to detect and monitor when something goes wrong. Any misuse of data, especially in the public sector, can have far-reaching consequences and could lead to a loss of citizen trust.

Building a secure cyber strategy
People, processes, and technology form the basis of an organisation’s security strategy. A lack of attention to any of these three factors will inevitably lead to gaps. Balancing each component is the best way to identify risks and match them with the right tools, cultural norms and workflows to effectively manage risk.

People – Employees can create some of the most significant risks to cyber security. However, when they are well informed, they can also be an advantage and the first line of defence. Educating employees is incredibly important, and they need to have basic knowledge about information security and potential threats. Having the right mindset around cyber security is vital. Getting them interested in security, encouraging the swift reporting of incidents and keeping them motivated to keep their equipment and devices safe will all help to create a robust cyber security culture.  

Process – Processes are key to the implementation of an effective cyber security strategy. Well thought out security policies, security awareness programmes, and access control procedures are essential. Not only do they help prevent and detect threats, but they are also crucial in defining how the existing activities can be used to mitigate risk. These processes must be continually audited and as mentioned previously, frameworks such as ISO 27001 provide an opportunity to create specific processes. Proper preparation significantly reduces the risks of cyber incidents, and it’s important that all processes and procedures are documented as part of the framework and for auditing purposes.

Technology – Technology is fundamental when it comes to cyber security. There are a whole host of technologies that the public sector can implement to layer their defences. By identifying the most common risks the organisation faces, it becomes easier to identify the controls that need to be put in place, and the technologies to support them. Technology can be deployed to prevent or reduce the impact of cyber risks, depending on your risk assessment and what you deem an acceptable level of risk.

With attacks becoming increasingly sophisticated and more targeted, frameworks such as ISO 27001 can also be followed to ensure best practice and help organisations manage their information security by addressing people and processes, as well as technology. Ultimately, cloud governance shouldn’t be an afterthought. Without it, organisations will struggle to control costs, reduce human error and protect valuable data.

Securing data for the long term
As local authorities become increasingly reliant on mobile devices and cloud-based technologies to run their teams and vital services, networks, services and devices become prime targets for cyber criminals.

This means that different types of data will need to be secured in different ways. Data classification can play a part in helping to secure collaboration platforms and solutions, for example, stopping employees sharing sensitive information such as child protection records with users who are not authorised to view them. Getting data classification right from the start and driving policies from the centre makes it much easier to keep data safe and secure. Ultimately, employees need to be protected by policies that stop them from inadvertently exposing confidential data.  

However, this is very different from the type of security implemented around a business application database. When it comes to protecting applications and databases, security needs to be a core part of the design. The crux of this is good product architecture and understanding that cyber security processes need to be layered in. This approach minimises the risk of exposing information residing in the cloud and should centre around the zero-trust security model. The model is based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network.

By layering applications behind several defensive barriers, it’s easier to prevent unintended consequences and employees are only able to access the systems and data they require. Segmenting the network in this way and breaking it into a multi-layer structure enables organisations to hinder cyber criminals, restrict their movement across the network and stop them from reaching mission-critical data.

The good news is that with a layered security strategy, the correct tools, and the appropriate cloud partners in place, many of the most significant cyber security challenges are surmountable.

Mark Scott is CEO at Cantium Business Solutions.