The risks of data breaches are particularly high for governments and public sector organisations, and they face great challenges in maintaining cyber security. Due to the nature of the public sector, organisations must store huge amounts of classified and personal information, which requires the highest levels of data protection, and also makes them attractive targets for hackers. In addition, legacy data storage systems used by many organisations means defences are weaker than they should be. This is further complicated by how increasingly connected public sector organisations are with their stakeholders, for example via apps and portals.
The cost of a data breach could not be greater. According to IBM’s Cost of A Data Breach report, each cyber attack on a public sector organisation costs an average of US$2m to manage and rectify. The impact goes beyond financial: a breach can erode confidence with stakeholders and the general public, and cause reputational damage that can be difficult to win back.
This increasing use of technology to create connections increases cyber risk. The challenge is to stay in control of those connections at all times.
Cyber attacks in the public sector
Public sector organisations tend to have stable IT systems which they use for core business functions, such as financial processes. In most cases, they will use an industry-standard set up, which is a good thing, although they still need to protect these systems and follow best practice for security management.
Organisations can become more vulnerable to cyber attacks when they have tailor-made technology solutions. For example, a healthcare organisation will have systems for storing data which is very specific to their needs. While the IT system itself may not be bespoke, it will be customised and connected to web applications that use the internet, and that’s where the risk of a breach increases.
Mitigating cyber risks
The first thing organisations should do is ensure that the people who have access to their IT systems are educated in cyber security best practices. They need to be aware of what data they have, and common methods of cyber attack, so they watch out for suspicious activities such as phishing emails. They should also ensure they are using a strong authentication mechanism for accessing their systems. Many organisations still simply use user ID and passwords, and that's just not enough. Two factor authentication provides much stronger protection – in addition to a password (something you know), your mobile phone can be used as a way of providing access (something you have).
Another strong mitigation is segmentation. This means creating segmentations between the more dynamic internet-facing web applications and the back office where all the data is stored – so if a system is compromised in one segment, your whole database is not compromised. Design of a network based on these security architecture principles is a strong measure and part of ‘security by design’.
The ongoing monitoring of software is also key. Software can contain weaknesses or, as they’re often referred to, vulnerabilities. Organisations need to ensure that these vulnerabilities are identified and ‘patched’ as soon as possible. For example, if there is a security update from a software provider, it should be installed instantly because this is a weakness that can be exploited, and vulnerabilities become public information very quickly.
Usually, governments’, or comparable organisations’, cyber security centres publish cyber threat alerts, in order to act as a warning to others. There are also commercial databases available online which list the latest identified vulnerabilities; hackers are always looking at these.
Managing reputation after a cyber attack
Maintaining cyber security helps to protect the reputation of an organisation, and the safety of its clients, members and employees. Ultimately, the responsibility for this lies with the CEO. It is vital for the CEO to receive updates and information in relation to cyber security and cyber incidents, so they are able to make informed statements about cyber security when required. Relying on communications from the IT department, or even their outsourced IT provider, is not enough. In addition, there is no standard reporting for cybersecurity, and that can be a real problem.
This is important because when cyber breaches occur, the CEO has to explain what went wrong to stakeholders. Maintaining one hundred percent security is not possible. An incident will come, and then it's very important that you have your communication plan ready.
Want to know more?
Want to know more about what you can do to manage cyber risks? Then please contact Jan Matto by e-mail of by phone: +31 (0)88 277 13 99 of met Jeffrey de Bruijn by e-mail of by phone+31 (0)88 277 11 27. They will be happy to help you further.