The unintentional enemy within
The biggest cyber threats are closer to home than you think
The pace of cyberattacks seems to be accelerating, and from government to financial services to healthcare, no industry is immune from risk as hackers leave no stone unturned.
This is certainly true within the public sector; in 2016 it was reported that the education sector was targeted by ransomware more than any other industry, with one unfortunate UK university targeted 21 times in a single year. Meanwhile, last year saw some particularly high profile victims in the business world.
Yet the familiar image of the shadowy, malevolent professional hacker and the dread evoked by words like WannaCry and Nyetya, mask the reality that security breaches are actually more likely to originate from sources much closer to home.
The enemy within
Of course, the NHS was one of Wannacry’s more high profile victims, yet the 2016 National Data Guardian for Health and Care’s Review of Data Security, Consent and Opt-Outs identified that most security breaches were unintentionally caused by ‘non-malicious insiders’. In other words, employees.
It also found that these types of attacks tend to originate from seemingly innocuous actions; BYOD for example, or a staff member downloading software to assist them in their work, resulting in unexpected threats entering the network.
Best intentions
Within the workplace, there exists an uneasy dichotomy between committed, conscientious staff and their willingness to break rules to get the job done if the technology they’ve been provided is inadequate for the task. Unfortunately, their laudable intentions can inadvertently result in insecure behaviours, such as using unauthorised cloud-based email or file-sharing applications. If this goes unnoticed, there is a substantial risk of infection from malware, loss of data and data protection breaches.
But it would be unfair to place all the blame on staff – all too often, security is not considered as integral to the development of business and – in the case of the NHS – clinical systems, but is rather, added as a ‘bolt-on’. This results in obstructions that end up forcing staff to find alternatives to completing their work – even if that means bypassing security controls.
Get the balance right
So, what’s the answer? Well, firstly, rather than blocking potentially dangerous behaviour, it might be helpful to examine why employees feel their existing technology can’t support their work activities sufficiently, and to ensure they are assisted in whatever ways are appropriate.
Secondly, organisations should work to ensure that security is an integrated part of their overall systems development, one that supports workflow rather than obstructs it. They should also put in place security controls that allow staff to work freely but safely.
The National Cyber Security Centre (NCSC) website contains a wealth of advice on mitigating potential threats, including 10 steps to Cyber Security and 10 steps: home and mobile working. With new dangers emerging all the time, its publications are well worth a look.
We also have a range of general security information as well as guidance for specific areas within public sector including education, health and care, and local government.
With GDPR just around the corner, it’s more important than ever to minimise the potential for breaches and to know what to do when an attack arises. Failure to act can expose offending organisations to legal and financial penalties, as well as loss of reputation.
And don’t forget to contact our public sector team directly for information and advice on this topic.
Tags:
