A moving target is harder to cyberattack

By their ‘connected’ nature, all public sector organisations are cyberattack targets. But none have to be victims, writes Jonathan Lee, director of public sector, Sophos

As the world looks to bounce back from the global pandemic, the role of public services has never been so important. It’s largely for this reason, and the sensitive data that these services hold, that they’re becoming increasingly valuable targets for cybercriminals. In the Sophos State of Ransomware in Government 2021 report, 40 per cent of central government and NDBP organisations and 34 per cent of local government organisations were hit by ransomware in the last year. It’s a massive problem and a costly one too. The average bill for putting things right after a ransomware attack, including downtime, labour, technology and paid ransoms was £1.02 million for central government and NDPB and £1.22 million for local government organisations.

Threat surface change
To compound the problem, the threat surface has changed due to the increasing popularity of hybrid working. Digitisation has also massively accelerated since the start of the pandemic with cybersecurity unable to match the rapid pace of change that has been forced on organisations everywhere. Security which wasn’t baked in during the rush to get up to speed with the new digital benchmark now has to be attended to retrospectively, providing another unwelcome cost at a difficult time.

Despite the cost of prevention, it’s crucial that the public sector recognizes this threat and puts the necessary measures in place to protect itself. 21 per cent of those in central government and 28 per cent in local government still believe they are not a target of ransomware.

Understanding the threat
To successfully protect themselves, organisations have to be proactive rather than reactive, understanding the threats quickly and prioritizing the steps needed to be taken. That’s not as easy as it sounds with the nature of these threats changing all the time. Rather than viruses, malware and ransomware still existing in isolation, these threats have merged, leading to the emergence of Ransomware as a Service (RaaS). This new development gives criminals who lack the time or skill to develop their own ransomware the opportunity to buy it off the shelf and use it straight away.

There is a real requirement for senior people who understand cybersecurity to be appointed on boards to champion the need for action. The NHS is typical in the sense that IT leaders have found it difficult to argue for funds to take proactive measures when there hasn’t been a high-profile attack like WannaCry for a while.

Addressing the skills shortage
The current skills shortage is a particular problem at a local level. In a recent survey within the public sector, over half of the respondents (54 per cent) admitted that cyberattacks have now become too advanced for their current IT team to deal with on their own.

Smaller organisations tend not to have big teams or round-the-clock protection, and it doesn’t help that some of these have a false sense of security believing that an anti-ransomware tool will be up to the latest challenges.

The fact is, even though advanced and automated technologies are essential elements of an effective anti-ransomware defence, preventing attacks also requires the constant attention of skilled professionals. Whether it’s in-house staff or outsourced support, human experts are uniquely able to identify many of the tell-tale signs that ransomware attackers are making a move.

Where human resources are light, the need for Managed Threat Response (MTR) is greater and this service, offering 24-hour threat hunting, detection and response delivered by a managed team, is already starting to gain traction in certain sectors.

Adopting a zero-trust approach
One of the specific problems for public sector organisations is their connected nature, which makes them particularly attractive to cyber attackers. Recently, thousands of schoolchildren were sent home due to a ransomware attack which became more severe as the victim was a multi-academy trust and all the learning centres were connected and affected by the one security breach. This will likely be a major issue for the NHS with a network of local clinical commissioning groups (CCGs), trusts and integrated care systems (ICSs) all connected on the same network.

Slowly the public sector is waking up to this threat with some organisations already well ahead of the curve. Third party and supply chain attacks are a real worry for board members, and already we are seeing organisations start to vet their suppliers and establish best practice zero trust models more stringently.

Best practice measures
So, how can the public sector counter this ever-growing threat? First and foremost, assume you will be hit. It’s better to be prepared and avoid a costly security breach rather than the other way round. One London borough has a committee meeting every fortnight to discuss risks to their area and they are now giving cyber threat the same level of attention as flood risk. A good example of an organisation more interested in preventing security breaches than just ticking the boxes with outdated anti-ransomware technology.

Keep making backups as this is the best way of recovering data after an attack, try to deploy layered protection to block attackers at as many points as possible, and always combine human experts with anti-ransomware technology for the best defence.

Last, but by no means least, avoid paying ransoms. On average, organisations that paid the ransom got back just 65 per cent of their data, leaving over one third inaccessible.

About the author

Jonathan is a cybersecurity specialist responsible for representing Sophos’s public profile across the UK healthcare, central government, local government, defence, police, fire and housing sectors.

What is ransomware?
The Ransomware is a type of malware that prevents you from accessing your computer (or the data that is stored on it). The computer itself may become locked, or the data on it might be stolen, deleted or encrypted. Some ransomware will also try to spread to other machines on the network, such as the Wannacry malware that impacted the NHS in May 2017.
    
Usually you’re asked to contact the attacker via an anonymous email address or follow instructions on an anonymous web page, to make payment. The payment is invariably demanded in a cryptocurrency such as Bitcoin, in order to unlock your computer, or access your data. However, even if you pay the ransom, there is no guarantee that you will get access to your computer, or your files.