Getty Images/iStockphoto

Public sector risks downplayed by senior IT leaders

Sophos reveals a significant cyber security perception gap between senior IT and security leaders in the public sector and their front-line teams

Public sector CIOs and CISOs are significantly overestimating the strength of their organisations’ security posture when compared to their front-line IT teams, according to new research from Sophos. Among other things, the study claims that 55% of public sector leaders believe their digital data is less valuable than the private sector’s.

This is despite the fact that public sector organisations – in particular NHS trusts – handle vast amounts of highly sensitive personal data and confidential government information. Sophos’ research team said this could result in the under-protection of digital data and was at odds with how IT leaders tended to rate their threat level and risk as higher and wider than those dealing with everyday issues.

“The kind of data held by public sector organisations could cause extensive harm if exposed to cyber attackers,” said Jonathan Lee, Sophos’ director of public sector relations. “Sensitive data for up to 66 million UK citizens could become available to the highest bidder on the dark web or among other criminal groups that buy and sells personally identifiable information [PII] such as names, addresses, national insurance numbers, tax returns, confidential medical records, passport details, and more.

“Cyber criminals can then use this data for spear-phishing, identity theft, breaching networks, or extortion.

“Data relating to the nation’s strategic intelligence and defence, such as surveillance records and tactical plans, is also at risk and could have catastrophic consequences for national security if leaked.”

The report also showed that 76% of IT leaders said they had been affected by a ransomware incident in the past 12 months, compared with just 16% of IT practitioners, while 45% of leaders had observed a huge increase in security incidents and 35% a huge rise in actual breaches, compared with 4% and 8%, respectively, among practitioners.

Front-line IT pros also disputed the narrative around a cyber security skills shortage. Just 14% of them were concerned that they were under-resourced in this regard, while 36% of c-suite leaders said recruiting and retaining security specialists was the most immediate challenge to their security posture.

Lee said the study highlighted a chasm in perception within the public sector, and whatever the reasons might be, the end result was that critical data on millions of UK citizens was potentially at risk because its public sector custodians misunderstood the true level of risk they faced, and were therefore not properly prepared for it.

“Better communication across teams, more effective knowledge-sharing, and clearly defined processes are essential if we are to make the UK public sector as secure as it needs to be,” he said. “This should be complemented by security solutions that provide clear and accurate data on the number of cyber threats and attempted attacks.”

Meanwhile, new statistics from domain name system (DNS) security specialist EfficientIP have revealed that, globally, government organisations were among those most frequently targeted in domain attacks, with successful attacks costing an average of $558,000 (£431,400), and each incident taking more than seven hours to mitigate.

Read more about public sector security

  • Only 10% of public service stolen and lost mobiles are recovered, underlining the need for mobile-centric, zero-trust model to reduce the risk, says MobileIron.
  • The UK’s National Cyber Security Centre releases a report on the second year of its Active Cyber Defence programme to demonstrate its effects in the public sector and wider UK cyber ecosystem.
  • The health sector is increasingly confident that NHSX can deliver a streamlined, effective cyber security policy for the health service.

More than half of government organisations that responded to the study, which was conducted alongside analysts at IDC, said they had suffered application downtime because of DNS attacks in the past 12 months, while 43% had been hit by cloud downtime and 41% by compromised websites. One-fifth of government respondents also said sensitive information or intellectual property had been exfiltrated during a DNS attack, the highest across all the sectors studied.

However, one-third of respondents rated DNS security as only low or moderately important, while the same number didn’t bother to perform analytics on DNS traffic, which suggests many security teams are unaware of how significant a DNS attack can be to essential services.

Despite the risk, one-third (32%) of government respondents do not recognise the critical nature of DNS to operations, stating that DNS security is only low or moderately important. Also, one-third (32%) of government sector respondents do not perform analytics on DNS traffic, suggesting that respondents are potentially unaware of how DNS downtime deprives users of access to essential applications or government services.

“With an increasing number of government services moving online, hackers have more points of attack to exploit than ever before,” said David Williamson, CEO at EfficientIP.

“When 91% of malware uses DNS, analysis of DNS transactions is vital for uncovering these dangerous threats hidden in network traffic. In particular, the detection of data exfiltration via DNS requires visibility and analytics on transactions from the client to the destination domain.

“Despite this, our latest research shows governments are significantly more exposed than other sectors to DNS attacks. This is unacceptable when governments are trusted with sensitive information by their citizens, so they need to understand the potential risks to protect both themselves and the public.”

Read more on IT risk management