By Michael Ioannou
Data breaches are an unfortunate reality of the modern digital landscape, and organisations can be categorized into three groups regarding their information security posture: those that have been breached, those that will be breached, and those that have yet to be breached.
A breach, in the cybersecurity realm, refers to any incident that compromises the confidentiality, integrity, or availability of data.
These three concepts, commonly referred to as the CIA Triad, represent the foundational pillars of information security and serve as the basis for the security objectives of any organisation, namely, to protect their data from unauthorized access, ensure the accuracy and consistency of their data, and maintain the availability of their systems and resources for authorized users.
In light of recent events in the public sector, I feel compelled to express my opinion based on my experience in this area. Despite the crucial importance of cybersecurity, many public sector organisations remain vulnerable to cyber threats due to insufficient security measures.
It is widely acknowledged in the cybersecurity industry that there is no single solution, a silver bullet, that can combat all cyber threats. Instead, it requires a cultural shift within the organisation, which encompasses policies, procedures, adequate IT infrastructure, robust security controls, and, most importantly, a strong awareness of cybersecurity from top to bottom.
Despite the importance of cybersecurity, many public sector organisations are still vulnerable to cyber threats for many reasons. One of the main weaknesses in the public sector is the slow pace of implementing new technology, and the lack of funding and full-time IT and cybersecurity professionals to properly maintain the infrastructure through systematic maintenance. Another significant issue is the lack of cybersecurity awareness among public sector employees.
It should be well understood that Cybersecurity is not just about implementing firewalls or antivirus software. Rather, it involves a comprehensive strategy that takes into account all aspects of an organisation’s IT infrastructure and its people.
The objective of this article is not to present a cutting-edge technological solution that can effectively counter all cyber threats. Rather, it aims to take a step back and establish the fundamental requirements for a secure and robust infrastructure that can withstand attacks.
With new technologies being introduced regularly, it can be challenging to keep up with the latest security threats and maintain a robust IT infrastructure. Failure to update and maintain an IT infrastructure can lead to cybersecurity risks that can cause significant damage to an organisation.
Outdated software and hardware components are one of the main culprits for cybersecurity risks in an IT infrastructure. As software and hardware vendors release updates and patches to address vulnerabilities, cybercriminals are quick to exploit unpatched systems. Attackers can use unpatched software to gain unauthorized access to an organisation’s network and steal sensitive data, install malware, or launch other cyberattacks. Failure to keep software and hardware up to date can leave an organisation vulnerable to these attacks.
Without adequate resources allocated for maintaining IT infrastructure, an organisation risks leaving systems and software unpatched and vulnerable to cyber threats. Budget constraints may also prevent an organisation from investing in the latest security tools and technologies that are necessary to defend against modern cyber threats.
Therefore, it is crucial for the public sector to allocate a sufficient budget for IT personnel and security to ensure that infrastructure is maintained properly, and overall cybersecurity posture is robust. This includes investing in the latest security tools and technologies, hiring qualified IT professionals to manage and maintain systems, and providing ongoing training for staff to ensure they are aware of the latest threats and best practices for protecting against them. Allocating a budget for IT personnel and security is a wise investment that can help prevent costly security breaches and ensure that public sector organisations continue to deliver essential services to citizens securely and efficiently.
Security Baselines & Standards
Cybersecurity baselines refer to a set of minimum security standards that an organisation should implement to protect its digital assets from cyber threats. These baselines typically include a range of security controls, policies, and procedures that are designed to prevent, detect, and respond to cyber-attacks.
The government, or to be specific the organisation responsible for the cybersecurity of the country should enforce and implement a minimum-security standard that each organisation in the public sector should meet.
Additionally, Cybersecurity standards are also considered a best practice by many organisations to ensure that they are up to a certain level of security. These standards consist of a set of guidelines, best practices, and requirements for implementing effective cybersecurity measures. These standards provide a framework for organisations to manage their cybersecurity risks and protect their digital assets from cyber threats.
Some examples of cybersecurity standards include ISO/IEC 27001, NIST Cybersecurity Framework, PCI-DSS, GDPR, and HIPAA, among others.
These standards cover a wide range of areas related to information security, a holistic approach that will ensure the confidentiality, integrity, and availability of an organisation, including the policies, procedures, and technical controls necessary to protect data and systems from unauthorized access, theft, damage, or disruption.
Some of the areas typically covered by cybersecurity standards include:
· Access control: Outlining the requirements for controlling access to sensitive data and systems, such as password policies, multi-factor authentication, and user permissions.
· Network security: Covering the best practices for securing network infrastructure, such as firewalls, intrusion detection and prevention systems, and network segmentation.
· Incident response: Standards provide guidelines for responding to security incidents, including incident reporting, incident investigation, and communication.
· Data protection: Defining the requirements for protecting sensitive data, such as encryption, data backup, and data retention policies.
· Physical security: Setting the requirements for securing physical access to buildings, server rooms, and other critical areas.
· Compliance and audit: Providing guidance in complying with regulatory requirements and conducting security audits to identify vulnerabilities and improve security posture.
· Security awareness and training: Addressing the importance of security awareness and training programs for employees to ensure they are aware of their roles and responsibilities in protecting company assets.
· Disaster Recovery: The goal of disaster recovery is to ensure that an organisation can quickly recover from a catastrophic event such as a natural disaster, cyberattack, or hardware failure.
Why tender procedures could not apply in cybersecurity?
A tender procedure is a competitive process used by governments and other organisations to procure goods, services, or works from external suppliers. It typically involves the publication of a tender notice, inviting potential suppliers to submit their bids, proposals, or offers in response to the stated requirements.
Governments use tender procedures to ensure the procurement process is fair, transparent, and competitive. This helps to prevent favouritism and corruption, and ensures that the best value for money is obtained for the goods, services, or works being procured.
By using a tender procedure, governments can ensure that all potential suppliers have an equal opportunity to bid for the contract, and that the selection is based on objective criteria, such as price, quality, and delivery timescales. This helps to ensure that the final selected supplier is the most suitable and offers the best value for money, thereby promoting accountability and efficiency in the procurement process.
However, technology is renowned for its rapid pace of development and evolution, with new threats emerging on a daily basis. This renders the traditional tender process impractical, as it requires organisations to outsource their services in response to a given threat, which in turn leaves the organisation vulnerable for an extended period.
For instance, when faced with issues such as an outdated server or the need for antivirus software, prompt action must be taken to mitigate the risks before they even materialize. A protracted tender process, on the other hand, would result in the organisation being exposed to these risks for an extended period of time.
Additionally, the successful tender is often selected by the most favourable price. However, such an approach is not applicable to cybersecurity, or technology in general. The priority should be to meet the best practices by standards and frameworks and then by any budgeting matters.
To attain the aforementioned objective, it is recommended that an autonomous government-affiliated entity, possessing the requisite knowledge and proficiency, be tasked with drafting the tender. This body should not be involved in the tendering process as a solutions provider, and its primary objective should be to create a tender that is as precise as possible, incorporating the most effective solutions in line with the government’s overarching cybersecurity objectives.
Cybersecurity requires a holistic and proactive approach
In conclusion, cybersecurity is crucial in today’s digital world, and public sector organisations must prioritize it. With the increasing number of cyber threats, it is not a matter of whether an organisation will be hacked but when.
It is essential for the public sector to have a comprehensive cybersecurity strategy that takes into account all aspects of its IT infrastructure, security and its people. This includes updating and maintaining software and hardware, allocating a sufficient budget for IT personnel and security, and following cybersecurity baselines or standards.
While tender procedures are useful for procurement, they are not practical for cybersecurity, as the process may take too long, leaving organisations vulnerable to attacks.
Therefore, it is crucial for public sector organisations to take a proactive approach to cybersecurity and continuously monitor their systems for vulnerabilities and threats.