The Minimum Cyber Security Standard defines the minimum security measures organisations and agencies must implement. But while awareness of this standard is high (98%), organisations have not seen the dip in cyberattacks that you would expect, as more had experienced over 1,000 attacks in 2018 than in 2017, according to the findings of an FOI request conducted by SolarWinds. Sascha Giese, Head Geek at SolarWinds, talks through the key findings from the survey and identifies how the public sector can manage the ever-increasing cybersecurity challenge in three points.
Public sector organisations are now working to meet the new standards released last year by the National Cyber Security Centre. The Minimum Cyber Security Standard defines the minimum security measures organisations and agencies must implement with regard to protecting information, technology, and digital services.
With the standard marking its one-year anniversary this summer, it’s good for UK government departments and public sector organisations to evaluate their progress in meeting this standard, what challenges they’re facing and what priorities they still need to monitor.
This is the first technical standard issued and is designed to continually ‘raise the bar’ and address new threats or classes of vulnerabilities that can cause chaos for organisations and constituents alike.
Awareness doesn’t equate to action
In a recent FOI request, 98% of respondents from central government and NHS organisations noted they’re aware of the Minimum Cyber Security Standard, which is positive. However, this awareness doesn’t seem to correlate with as much of an anticipated dip in cyberattacks.
While the overall percentage of public sector respondents who experienced a cyberattack in 2018, compared to 2017, decreased (38% experienced no cyberattacks in 2018, while 30% experienced none in 2017), more organisations experienced over 1,000 cyberattacks – 18% in 2018 compared to 14% in 2017.
Similarly, there could be another risk that the standard will only be seen as a collection of checkboxes to tick, without thinking further ahead, or customising it to the organisation’s needs.
Despite the positivity that can be drawn from the lowered percentages, these figures played out very differently in NHS organisations and central government agencies.
Almost three-quarters (74%) of NHS organisations experienced less than 50 cyberattacks in 2018, slightly less than in 2017 (75%).
On the other hand, over 80% of central government organisations reported almost the exact opposite by indicating they experienced in excess of 1,000 attacks in 2018, up from 67% in 2017.
This suggests that although the most talked about cyberattack in recent memory, WannaCry, cost the NHS £92m and caused 19,000 appointments to be cancelled, central government agencies find themselves under more frequent attack than the NHS.
Managing the cybersecurity challenge
The results of the FOI suggest public sector organisations are aware of the cybersecurity challenges they face and the rapid rate of evolution. However, it’s also evident that the rate at which public sector organisations are facing cyberattacks is on the rise and simply setting out a security standard may not be enough to stop it.
While it’s clear based on the establishment of the Minimum Cyber Security Standard that the regulatory bodies are taking the matter seriously, it’s now a case of this way of thinking trickling down to each individual organisation or agency and implementing the tools to meet it. To form a successful strategy for this, there are three key areas to consider.
- Knowing who
A key part of cybersecurity is knowing who has access to systems and data. Through the right access management system, public sector organisations can improve security posture and mitigate any insider threats by identifying insecure accounts. Automating access rights management, analysis and enforcement also enables quick demonstration of compliance, easy permissions management and ultimately enhanced productivity of the IT team.
- Knowing what
Visibility into what’s happening within an IT environment is also key to strengthening security posture, so implementing security information and event management (SIEM) is another crucial piece of the puzzle. SIEM tools enable IT teams to collect and normalise logs generated across networks and systems to detect and protect against advanced cyberthreats, respond to cyber-incidents with unique user-defined actions and help demonstrate regulatory and industry compliance.
- Looking forward
Every public sector entity is unique and the velocity, variety and volume of cyberattacks they experience will provide new, evolving challenges. IT teams need to be ready and agile in adopting new techniques and learning from past experiences to ensure their organisations are constantly protected.
Building a roadmap for future testing, re-evaluation of tools and security posture and the ability to think ahead to potential new threats will be key. A critical part of this will be understanding how to get visibility of the entire infrastructure and getting everyone who has access to use IT monitoring tools to provide the right information to put the right protections in place.