In the public sector the risks of data breaches are vast, costing millions in halted or impacted operations, lost revenue, data recovery and more. Allied to this is the loss of integrity and reputation when personal and critical data is compromised; as well as the potential for public services - such as national electricity grids – to be disrupted. With governments holding so much sensitive data on citizens, weak data security also poses a real risk to incite cyber-terrorism from international crime syndicates.
Public sector institutions and agencies are prone to facing three types of risks: insider threats, outsider threats and trusted computer-based threats. Within each of these categories the tactics rapidly evolve – demanding high level of awareness and security measures.
But just what are some of the most important security considerations for public sector officials?
Ensure integrated threat management
Government institutions must address every single vector on the attack surface: an ever-growing range of threats including the likes of botnets, distributed denial of service, malware, ransomware, phishing, spyware, worms, trojan horses, hacking, viruses, session hijacking and more.
Threat detection tools should provide ‘360 degree’ visibility of all types of incidents, identifying attempted breaches as they happen in real-time. This analysis should encompass all physical and industrial assets, end-point devices, networks, perimeter and access control points, vulnerability and penetration management, and compliance with standards and regulations.
Such an integrated approach should always leverage security best-practices and technologies that fit within the risk profile of an organisation as well as remain adaptable over time.
Physical security remains a key consideration
Physical security should be part-and-parcel of one’s integrated approach as breaches within offices, data centres or endpoint assets such as smartphones, laptops and flash drives can be just as devastating as cyber-attacks.
Physical security should incorporate everything from manned security and perimeter control, to biometrics and surveillance. To further tighten controls, government institutions should leverage encryption to ensure that data contained on physical assets is inaccessible and unusable.
At the same time, the data should be backed-up and remain available to authorised parties - to ensure that data is not simply lost in the event of physical hardware being stolen or destroyed.
Frameworks and standards
Government departments should use information security and governance frameworks which align with the principles of the Public Sector Risk Management Framework: a policy designed to guide the way departments manage risks (including the risk of data breaches).
Security standards should also consider the type of government institution in question - so the Revenue Service would need to take into account the various data governances that encompass the handling of financial data, while a department like Home Affairs would need to adhere to the Protection of Personal Information (POPI) Act. They should also look at the evolution in the underlying security technology like Cryptography and Encryption standards and adopt or change them as per the latest development, for example US Government adoption of Elliptic curve cryptographic standard in 1990s and moving away from RSA (Rivest–Shamir–Adleman) crypto, however in recent years they have moved away from Elliptic curve cryptographic toward Post-Quantum computing.
Certain overarching frameworks – such as ISO27000, and the National Institute of Standards and Technology – are non-negotiables, always guiding information security in any public sector institution.
Tread wisely with Cloud migration
Cloud security solutions offer a number of benefits to public sector organisations, allowing then to benefit from the very latest defence technology, to easily integrate different security tools to create a customised suite of protection services, and to only pay for the security services that they actually use.
With Cloud Service providers investing in the infrastructure instead of the customer, capital expenditure is minimised, allowing government departments to redeploy funds to core competencies and enhanced e-government service delivery.
Cloud solutions may not be the silver bullet for all data warehousing, backup, recovery and security needs. In high security environments, highly sensitive data resides in on-premise infrastructure with high levels of encryption and physical security.
Ultimately, public sector organisations must remain acutely aware that cyber-criminals are sophisticated professionals, hell-bent on stealing intellectual property and destabilising government operations. As these dark forces never stop experimenting and evolving, it is imperative for institutions to stay ahead of the curve in the race to innovate and protect critical information
Sanjay Vaid, Director, Cybersecurity and Risk Services-Africa, Continental Europe, Wipro Limited