Securing our Public Service in an Evolving Cyber Threat Landscape

December 2019

Cyber security concerns continue to evolve rapidly, with new threats emerging every day. Cyber actors range widely from individuals, hacktivists and activists, to criminal groups, nation states and terrorists. Although these cyber actors each have their own motives and intentions, they share a common objective to exploit trust in the target, be that human or computer, writes Jacky Fox, Managing Director of Accenture Security and vice-chair of Cyber Ireland.

In the past 12 months, cross-industry security executives surveyed by Accenture in Ireland for our State of Cyber Resilience research¹ reported 258 targeted cyber-attacks, with 35 successful security breaches. Nearly two thirds (62 per cent) of Irish respondents experienced loss of IT services as a result of a cyber breach and nearly half (42 per cent) suffered loss of operational services as a result. Four in 10 respondents reported suffering financial loss following a security breach and six in 10 reported remediation taking more than 30 days. This all demonstrates the level of challenge faced by government, citizens and businesses in securing the digital world today.

Costs to the public service are rising

Learning from the success of government agencies and companies achieving high levels of security is an important step towards reforming cyber security defence mechanisms. In the private sector, the scale and scope of recent breaches mean cyber security continues to be a primary concern for C-Suite executives and board members. According to Accenture’s ninth annual Cost of Cybercrime Study of the public service published with the Ponemon² Institute, public service organisations are spending more than ever to deal with the costs and consequences of increasingly sophisticated attacks. In 2018, the average cost of cybercrime for a public service organisation globally was $7.9 million, up from $6.6 million in 2017 and an increase of 17 per cent.

Every government agency operates with a unique mission – often with a constrained budget and limited resources. In the face of those realities, how can government effectively and efficiently safeguard systems and data? Success lies not only in investing in the latest security technology but in developing a proactive and practical approach to cyber resilience and the ability to recover from the inevitable. This involves assessing the risks and building an organisational strategy to deal with these risks. In Ireland we are anticipating the release of a new national Cyber Security strategy in 2019 which will provide guidance on this.³

Security breaches can come from numerous sources inside and outside an organisation, and threats are nothing if not diverse and dynamic. Just when an organisation believes it can successfully defend against one type of attack, another attack technique or vector emerges.

Hybrid motives in ransomware

Ransomware attacks, for example, can cause serious disruption to business operations and can be costly, even if the data has been backed up properly and is securely stored offline. The attacks involving the Goga ransomware earlier this year – where unknown actors gained access to several organisations and infected networks with Goga ransomware – have reportedly cost victim organisations at least US$40 million in the first quarter of 2019⁴. While the motives behind attacks may appear to be financial, targeted ransomware attacks may at times serve hybrid motives, whether financial, ideological, or political. Regardless of motive, while the ransomware threat remains, organisations must ensure they take adequate measures to prepare, prevent, detect and respond to a ransomware attack.

Technologies introduce risk, and so do humans

Whether by accident or intent, many employees are often the root cause of successful cyberattacks. Often a person is the easiest target to infiltrate an organisation using various methods of social engineering, such as ever efficient phishing emails or person to person for more targeted attacks.

It is anticipated that the Irish National Cyber Security Strategy will focus on improving the awareness of cyber security basics for all citizens. However, this is even more important for our public service personnel. According to the Cost of Cybercrime study, only 4 per cent of security leaders in the public service globally say the employees in their organisations are held accountable for cybersecurity today.

Despite awareness being high and strategies to mitigate cyber security breaches having been widely implemented in the past, the level of preparedness and the resulting success differs drastically. To stay ahead in the current high-risk and transformative environment, organisations need to be more effective and diligent in addressing security; not only within their technology practices and policies but also across the strategy and governance of the organisation.

Here’s a practical approach outlining three key areas to focus on:

Build a cybersecurity strategy

A crisis response plan is not enough. Every government organisation also needs a proactive, holistic security strategy. The strategy needs to address not only the protection and security of data and technologies, but also the integration of these with other security measures, the creation of policies “fit for purpose” in the digital age, and the training necessary for employees to be the first and last line of cyber defence.

Assess risk

Conduct a risk assessment to determine the areas of greatest vulnerability and potential consequences of an attack. To engineer effective defences, take a realistic and pragmatic view of the threat universe and most likely scenarios. Conduct the assessment with both security experts and stakeholders throughout the agency and plan for recovery and resilience from those threats.

Lead security efforts with intelligence and advanced analytics

Digital gates and guards used to be enough to protect networks and data. But that’s not the case anymore. Effective protection now requires use of advanced threat intelligence supported by advanced, multifaceted analytics to help identify and manage threats.

Our National Cyber Security Centre provides threat intelligence data which is available to public service organisations. The use of techniques such as employee behavioural analytics use vast quantities of data from multiple sources to baseline normal network activity and identify anomalous or questionable activities in real time.

Dan Sheils, Managing Director, Health & Public Service, Accenture in Ireland:

“Accenture recommends that government organisations embed a rich security strategy at the core of all digital technology. It is essential that any technology project builds in security at the offset rather than trying to bolt it on immediately prior to production. In doing so, government organisations will be best placed to address both the evolving cyber-threat landscape and take maximum advantage of today’s evolving technologies.”

Pat Ryan, Head of the Garda National Cyber Crime Bureau:

“Cyber Security is everyone’s responsibility, but must start and be driven from the top down for organisations and public sector bodies. Therefore, it should not be just a problem for the IT Department, but an integral part of any department’s overall business strategies.”

T: +353 87 618 2618
E: jacky.fox@accenture.com
W: www.accenture.com

Related Articles

Government departments’ AI approaches

Public procurement buyers should act now to retain past competition data

Innovation in public services

National Data Infrastructure: Data as a strategic asset to the public service