Mind the gap: public and private sector disparity in cybersecurity
Amidst increasingly sophisticated cyber attacks and a constantly shifting threat landscape, cyber security partnerships across the private and public sector are essential in tackling these threats. This need for stronger collaboration between the two sectors was a topic of discussion at the recent ‘Cybersecurity in Public Procurement’ roundtable hosted by HP Wolf Security at the US Embassy in London.
The expanding threat landscape
In the aftermath of the Solarwinds attack of 2020, the public sector is facing a rapid rise in malicious threats, with ransomware and social engineering attacks becoming more prolific. However, as Ian Pratt, global head of security for personal systems at HP explained, while fears about nation-state actors have increased, cyber-criminals continue to be behind the vast majority of threats. And, in fact “the way people are being attacked hasn’t changed much,” with simple techniques like phishing continuing to dominate.
The lure of public sector data is attractive to cyber criminals that can exploit a treasure trove of personally identifiable information (PII) for identity theft, financial fraud, account takeovers, or to create spear phishing emails and social engineering attacks that lead to ransomware. Added to this is the fact that the public sector is particularly vulnerable due to a mix of outdated and legacy systems. According to the UK Cyber Security Strategy 2022-2030 report, 40% of all cyberattacks in 2020-2021 affected the public sector.
Government and the public sector are intrinsically linked: The U.K.’s Digital Marketplace shows the commitment of the government to embrace the products of commercial vendors of all sizes
In 2019, government spending on software and services in the Digital Marketplace was £1.3 billion. However, in real terms, this is only a small amount: total UK Government spend across all areas was nearly £850 billion, and several IT projects exceeded £1.3 billion on their own, being run by large IT companies.
Supply chains present an enhanced risk; unless carefully managed, the supply chain into government is at risk from cyberthreats.
This threat landscape has prompted the UK Government to set the wheels in motion to try and change this situation. The UK Government Cyber Security Strategy 2022-2030 delivers a vision of cyber security resilience through public-private sector collaboration: which aims to build greater cyber resilience across all government organisations and working together to ‘defend as one’.
Defend as one: five best practises in cybersecurity collaboration
There are some practical ways to begin the process of collaboration between the public and private sectors:
- Adopt a common approach to ‘secure by design’. The U.K. Government Cyber Security Strategy report stresses the importance of baking security into the government’s use of technology. The report also highlights the importance of continually assessing security across services and solutions.
- Share threat intelligence. Sharing security information is vital to developing private-public partnerships to build more resilient systems.
- Build collaboration portals to share knowledge. A practical means to share security information that is accessible will provide the intelligence to act. An example of this in action is the S. Quantum Dawn V project hosted by the U.S. Department of Homeland Security to carry out industry-wide cyber-resilience exercises.
- Close the skills gaps in cyber security through education. A culture of security is vital in removing resistance to change. The captains of industry survey show most boards now prioritise security. This must percolate throughout an organisation to engender security at the heart of both the public and private sectors.
- Use a common cyber security controls framework. Security frameworks guide how to build cyber-resilience into processes and technology. These frameworks also include the people that interact with these systems. For example, the public-private sector divide can work together by applying the Cyber Security Strategy’s ‘secure by design’ framework, as outlined in the report.
Conclusion
As cyberattacks increase in sophistication, the private sector and public sector must take shared responsibility for securing critical infrastructure. The HP Wolf Security panel served to highlight the pressing need for the public sector to forge stronger partnerships with the private sector. As HP’s Dr. Ian Pratt summarised: “to become truly resilient both private and public sectors need to consider their overall endpoint security posture and adopt state of the art hardware and software that can detect, resist and recover from attacks.” Secure by design is essential in building resilience into the public sector that is intrinsically linked to the private sector. Placing security first, is a must have as the public-private sector relationships become ever fuzzier. Only deep collaboration will provide the intelligence and support needed to tackle our digitally transformed world’s complex and voluminous cyberthreats.
Learn more about Quocirca’s cybersecurity insights in our Zero Trust Trends 2022 report.