The public sector faces intense public scrutiny, especially when it comes to cybersecurity. However, the launch of the National Cyber Security Centre in (NCSC) in 2016 suggests that the sector is beginning to take the issue of cybersecurity seriously, marking the Government’s commitment to making the UK a safe place to live and work online. And it’s not just public scrutiny the sector has to contend with, but the global digital revolution means that changes are happening rapidly, and technology adoption is not happening as quickly as it should. On top of this, the public sector has numerous regulatory and Information Assurance (IA) based obligations they are required to fulfil, making some organisations within the sector too scared to make changes or enforce new policies for fear of breaking the rules.
Restricted budgets, small teams and intense workloads can often make cybersecurity a low priority. Rather than enforcing and developing proactive, robust strategies to keep the organisation’s data safe, teams end up working reactively to mitigate threats as they arise. Not to mention the complex and wide-reaching nature of public sector organisations, making coordinating the array of essential services, stakeholders and functions a near impossible task.
Keeping up with digital change
The digital transformation means that traditional connectivity solutions are being replaced to reflect cloud deployments, network function virtualisation and the ability to deploy meaningful orchestration-based management. To reflect the update of digital and online services, public sector networks are expected to grow at 15-25% per year; in order to keep up with this demand, users are becoming increasingly reliant on both high-speed and high-availability transport networks, whether they are MPLS, SD-WAN or 5G or a combination of networks to deliver information when and where needed.
In the not so distant future, dependency on traditional hardware will become more challenging as additional capacity means the user may have to continuously upgrade its network to reflect growth. However, current and conventional approaches to data protection create numerous challenges particularly around scalability, performance, complexity, key management and key rotation.
Don’t shy away from new technology
The public sector needs to start embracing new technology; the prospect of digital transformation should be exciting, rather than daunting. As a sector with a reputation for being slow to adopt mobile technology, potentially due to concerns over its lack of security, there is a tendency to instead lock down data and restrict the use of technology altogether. However, this just isn’t sustainable, and a lack of mobile technology won’t keep the hackers out.
If changes don’t happen soon, the public sector will get left behind. To keep up, it needs to recognise that a digital network with a mix of connected users, devices and applications, does not need to make an organisation vulnerable; no matter how complex it may be. Flexibility and digital agility are undoubtedly at the top of every government’s agenda, making it essential for organisations to embrace the technology available. However, instead of putting adopting technology that attempts to secure each entity itself, or worse, layering technology on top of technology with a security solution tied into the network, organisations need to focus on what’s really important – and that’s Information Assurance (IA). In order for organisations in the public sector to really be secure, rather than securing the network, the focus needs to be on protecting the data.
An organisation’s biggest asset
Data is arguably an organisation’s biggest asset; it’s the crown jewels that must be protected, and what the hackers will inevitably set their sights on when planning an attack. In reality, a fine won’t be enforced under regulations such as the General Data Protection Regulation (GDPR) for a breach to an organisation’s network; the fine comes into play when a breach results in data being lost or stolen. That’s the difference in value between an organisation’s network and its data.
And the fact is, the public sector is quickly becoming a prime target for hackers. But how can organisations ensure their data is really protected? Firstly, organisations need to move to a data-centric, IA security model underpinned by a robust and strategic security overlay, on top of an organisation’s existing network and independent of the underlying transport infrastructure, making the network itself irrelevant. A software-defined security overlay enables a centralised orchestration of IA policy and by centrally enforcing capabilities such as software-defined application segmentation using cryptography, key management and rotation, data is protected in its entirety on its journey across whatever network or transport it goes across.
For the public sector, this means organisations no longer need to fear technology; each application on the network and the data it holds will be kept secure, irrespective of any changes made. Furthermore, if a data breach does occur, as long as it’s encrypted it will be rendered useless to hackers, mitigating the potential damaging consequences of a breach.
Quite simply, cybersecurity must be at the forefront of business strategy. Public sector organisations need to embrace technology, coupled with the right security architecture, or risk being left behind.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.