Enhancing public sector cyber security in uncertain times: a roundtable discussion
Holyrood Events and Check Point Software Technologies gathered experts in the field of public sector cyber security and resilience to discuss the implications of the global pandemic – and what it can teach us about the way forward.
“There's been some sensational transformation projects, some amazing deployments very, very quickly done. This is the year that the world really did kind of move to cloud or is starting to. And obviously security is always at the forefront, at the core of that,” Paul Rickards, the public sector account director at Check Point Software Technologies, said in his opening remarks to the roundtable on cyber security.
The virtual gathering included representatives from health, education and local and central government. Its aim was to “open up a peer-to-peer conversation about what's been good, what's been bad, and maybe what's been a little bit ugly over the last several months”, Rickards said.
Indeed, everyone in attendance agreed on the importance of being able to reflect on the months since lockdown. The pace and scale of change is undeniable. And while the notion of ‘building back better’ is not generally used to refer to cyber security, there is a clear application. A key theme of the discussion was that while the necessary move to cloud-based services and remote working had posed a significant risk to the public sector, there were also opportunities to be had.
It's been a good opportunity for us to showcase doing things at pace, taking a few more risks and perhaps getting quicker decisions than we did.
Approaches to security risk have changed because that began to be outweighed by the risks of not adopting new technologies in the face of COVID. Within the NHS, this meant accelerating the rollout of Microsoft Office 365. Was the health service ready for this in terms of security?
“Not fully, no,” Deryck Mitchelson, director of national digital and information security at NHS NSS, said. “But we had to make decisions on the way we needed to operate and that determined how we were going to roll things out.
“We've not had any major issues, but we have seen a significant increase in the threats that have come into the NHS resulting in some compromises.”
These types of small problems may have been avoided if there had been more time to plan and manage the change and there will be more remediation work as a result, Mitchelson admitted. But the largely successful rollout of the new software over just two weeks – basically unheard of in the public sector pre-COVID – also demonstrated what is possible.
Mitchelson added: “It's been, I would suggest, a good opportunity for us to showcase doing things at pace, taking a few more risks and perhaps getting quicker decisions than we did. It's felt a bit more for me like I was back working in the private sector than working in the public sector since COVID came in and, I think, one of our challenges is going to be continuing to work in that same way moving forward – maybe not taking the same risks as Office 365, but certainly being able to actually make quicker decisions and implementation.”
That was a feeling shared by others. Jordan Schroeder, managing director of Hefestis, spoke about using the change as a “catalyst for different kinds of growth” beyond the immediacy of the pandemic. He said: “It is a chaotic situation. We stopped saying ‘the new normal’ a while back, but we really need to be able to get our minds wrapped around how things are now and how we can best serve [people].
“There’s massive opportunities if we get past this multi-month, decisions-in-committees type of a situation and allow for disruption, allow for these risks to exist. They can be managed – the risks are easily, easily managed. By taking those risks in the first place, if we can do that, we can do some pretty amazing things, as we've already seen.”
The only change was we began to see the COVID lure used as the phishing hook to tempt people into doing stuff.
So, what are the risks? Check Point Software Technologies security engineer Mark Mitchell explained mostly it is a case of following the money.
Ryuk ransomware attacks have predominantly focused on healthcare, given the current global health challenge. There has been a number of high-profile targets on hospitals in the US and many security experts are predicting these types of attacks will be seen in Europe shortly.
The other area being targeted, Mitchell said, is brand integrity. The number of phishing schemes is multiplying and in fact, people are “more susceptible” to them than ever because of COVID. Having such a big news event constantly humming in the background means “the user can get trapped in a very, very dangerous narrative around being reactive to this thing that’s constantly in the news, and this is used against them.”
Indeed, this has been reflected in what the Scottish Government has seen. Paul Chapman, head of public sector cyber resilience within government, said: “Across the public sector, what we did see at the start [of the pandemic], rather than pings on your firewall and antivirus, was phishing. We saw lots and lots of phishing. The only change was we began to see the COVID lure used as the phishing hook to tempt people into doing stuff.
“And what we also saw was the really traditional fraud type approaches – business email compromise, leading to fraud from people trying to compromise the changes in the financial processes that people were having to adopt in this new out-of-the-office world.
“We've tightened up processes across the board since then. We've got better at exporting problems and we've got to the point where we've educated our staff that if something doesn’t smell right, it doesn't feel right, and just looks a little bit fishy, then you start questioning it. And we don't think we had any significant ones that got through the net, as far as I'm aware.”
This type of staff training will continue to be crucial going forward, as various surveys indicate an appetite for remote working to remain an option post-pandemic.
Dr Keith Nicholson, a member of the National Cyber Resilience Advisory Board, spoke of the benefits: “People rather like working from home, not travelling two or three hours a day. And actually, the work/life balance is much better. Their mental health, in some cases is worse, but many people feel a lot better. So, what is becoming quite evident is this is going to be a way of working for the future now. I think that's a good thing in many ways, in that it means you don't have to live in the Central Belt to work in some organisations, we could disperse the economy across Scotland. I think that’s good for the country.
“But also what it does mean, is that this risk profile has shifted completely and that needs to be adapted to. Whilst initially there was a high level of risk taken, now there needs to be some more mitigation measures applied, recognising that this way of working is the future.
“Out of necessity, some risks have been taken that would not have otherwise been taken. I think it's highlighted some areas of real vulnerabilities in home working, across privacy and GDPR issues, particularly for those who were sharing accommodation, that’s proving quite challenging.”
If we’re willing to take on some risk and know how to manage them properly, the sky’s the limit. It could be an incredible thing.
Another risk associated with working from home is having staff use their own devices or having corporate resources sharing a network with those personal devices.
But the general feeling in the (virtual) room was, again, that all these risks can be managed. Various solutions are available through VPNs, endpoint licences, multi-factor authentication and other security measures. There is simply a need to be flexible in dealing with the problems and creating cyber security and resilience policies which reflect that.
A major benefit of remote working, as Nicholson mentioned, is the possibility of opening up recruitment to far more people than a role would ordinarily reach. Nicholson later explained that Revenue Scotland, of which he is chair, is currently recruiting across Scotland and even further afield – which is particularly useful given the specialist expertise required for the roles.
But Schroeder tempered some of this enthusiasm by pointing to a hesitance to really seize the opportunity. He said: “There's still a lot of resistance. And there’s still a lot of desire to keep things not just in the UK, but to keep things in Scotland. I understand that and I respect that… But on the other hand, what opportunities are we leaving on the table, because we won't shift our mindset that we can be Scottish and still get help from the outside?”
He added: “It requires a different mindset and requires to get over some of this inertia that we have, in our current way of dealing with it. Change has happened in a short period of time. And yes, it’s going to take some time for us to wrap our heads around it. But again, if we’re willing to take on some risk and know how to manage them properly, the sky’s the limit. It could be an incredible thing.”
And where this initial hesitance has been set aside, it is working well. Mitchelson revealed: “I’ve got a CCIO in Belfast working for me, I have got a chief of staff based out in France working for me. And I just feel we embraced this at the start of the year. When we saw what was happening, I just decided that all the roles I've got are global roles, and it doesn't matter where they are. Let's get the best talent working – that’s what the important thing is, not location.
“It's fair to say being a national health board I've got more flexibility than others and a different way of doing this.”
Across the public sector, transformational change has been delivered in less than ideal circumstances over the last eight months. The key message from this roundtable was that more could be done in the coming years, as long as organisations do not revert to type when the pandemic pressure is eased.