Managing risk: a roundtable discussion on cybersecurity

Cybersecurity roundtable in association with NTS and Fortinet - Image credit: Mark Jackson/Holyrood

“I think...the understanding of technology risk and cyber risk, information security, whatever you want to call it, is improving, said PwC’s Colin Slater, as he introduced the Holyrood and NTS Capita roundtable on cybersecurity.

The event brought together IT heads from across the public sector and private sector technology experts to discuss the key internal and external threats facing public sector organisations and the way forward for public sector data security.

For Colin Howarth of NHS National Services Scotland, the biggest security concern currently is financial theft, because of the vast number of staff and amounts of money changing hands for payments and payroll across the organisation.

“I think one of the most likely threats is just accidental behaviour by staff based on phishing,” he said.

A bigger concern for SEPA’s Neil Johnson is reputational damage. While he noted that if some of SEPA’s systems were wiped out, there could be an element of public risk, a more likely scenario was someone sending some data intended for one waste carrier to the wrong company and the news of the leak reaching the media.

---

RELATED CONTENT

What makes a vibrant successful public sector organisation? - a roundtable discussion

New pan-European data privacy laws a 'gamechanger', says senior Scottish Government cyber security tsar

Voucher scheme launched in bid to protect small businesses from cyber attacks

---

“It’s about reputation and our chief exec’s then got to answer to the minister about why has this happened and it’s about that level,” he said.

“Media’s a strange problem because the things that are reported in the media are rarely the things that actually have an impact on the public,” noted Howarth, pointing out that there will often be “huge media attention” about a single lost record or some inappropriate behaviour by a clinician making its way onto social media, but old infrastructure or outages on something like a domain directory, meaning people can’t log in, which could have a significant effect on care, will garner far less attention.

Johnson suggested the best policy was to “head a lot of these things off at the pass”. On a previous occasion when SEPA had a data leak, he called the Information Commissioner immediately.

“You’ve got to be on the ball. You’ve got to be proactive about these things. And you’ve got to have a plan in place, because it is going to go wrong at some point, so you’ve just got to be ready for it,” he said.

“From my perspective…the thing that I get sleepless nights about is personal data, said Angus Council’s Steve Roud. These concerns were particularly about user behaviour, he said, such as social workers sending a personal record to a Hotmail account to work on at home or staff putting inappropriate data in the public cloud.

“It’s…user behaviour and it’s almost a generational thing, so a group of employees that don’t really understand the technology they’re working with, they don’t really understand the implications of the decisions they’re making and organisations are so cash strapped they can’t really afford to spend the time giving them the training that they need. And all of these things coming together, I think, cause a significant headache,” he said.

Angus Council has had four ransomware attacks that have been successful because somebody’s clicked on a link, so the IT department did a test and sent an email to 500 users. Thirty per cent opened the email and 17 per cent clicked the link.

“The problem we have is that you have got a different generation of people who have no comprehension of the value of that data to criminals,” added Steve Mulhearn of Fortinet.

Grant Reid of North Lanarkshire Council noted that one of the issues that added to the problems was the tendency by councils to keep using legacy software where the permissions and the way that these programs are written don’t meet modern practices, so a simple ransomware attack might give access to other drives.

“But to re-engineer that backwards and try and get the organisation to put the effort in to get rid of that is very, very difficult,” he said.

“There’s no way you can train users to not open these things,” Howarth added.

Roud suggested that users behave differently in the office than they do at home with their personal data. “I don’t believe that people would take that level of risk when they’re at home and it’s their own services, their own data and it’s their own banking information,” he said. 

However, West Lothian Council’s Ian Forrest suggested there are staff who are not at all IT literate who do exactly the same at home. “We’ve had calls at our service desk that say ‘the screen says I’ve to do [spells out] C-T-R-L plus A-L-T plus D – what does that mean?’ They don’t know how to log into their PC, you know,” adding that he thinks staff assume because they are at work the IT department will have made everything safe.

Merlin Gillespie of NTS recommended not getting “too hung up” on generational problems, because “fundamentally, they’re user problems” and depending on the situation and what they were doing at the time, even a tech-savvy user might open the wrong email. He said despite regular training, “the problem exists within our business, and it’s with people of all different shapes and all sizes.”

One of the “very, very challenging things,” Gillespie said, was that the threats happen in a fairly opportunistic way and are not necessarily even directed at the business.

Mulhearn agreed: “I think you have to accept…that the cyber-criminal will take the low hanging fruit… It’s not a case of you put in a burglar alarm and you feel protected, it’s just you’re more protected than the house next door and therefore he will opt for that.

“And the thing for them with our intel is how quickly and easily they can monetise your data. That’s all they’re interested in.”

One of the changes noted in cybersecurity in recent years is a move away from ‘hard’ perimeter boundaries, with staff now accessing social media and an expectation that public sector organisations behave more like consumer organisations with customer portals and single logins, which has led to an increased focus on user behaviour and training, rather than just technology solutions.

“I often describe my job as half technology, part psychology because, you know, you do spend a lot of time trying to second guess culture, second guess behaviours and impacts. And if you’d talked about IT security 10 years ago, you probably would not really have talked about people and end users and the impact,” said Slater. 

This is quite stretching for technologists, he suggested, because it’s not really within their fields of expertise, but there’s now an expectation that they do that.

Preventing data leaks will become even more vital when the new EU General Data Protection Regulation (GDPR) rules come into force in 2018, requiring all data leaks to be reported.

“My fear is with GDPR mandatory reporting, we’re going to have a bit of a mushroom, and this is because I know of a lot more incidents that never see the light of day,” said Slater.

He continued: “Once we get mandatory reporting, the skeleton’s out the closet, and I think as a group we’ll be on the receiving end of that, because one, you’ll have to report, which is a major priority, and two, the press will have a field day. They’ll go to town on it big time.

“And that is a concern for me, how do we react to that? It’s going to be quite a testing period and it’s coming now. It’s actually happening already.”

The Scottish Government’s Joe Morris noted he was concerned about the recent alleged Russian attack on the Democratic Party because there was no financial imperative for it; it could only be to cause embarrassment.

“That, from the public sector side, really means everything’s up for grabs. Where do you prioritise, what do you monitor, all of a sudden the attack surfaces. Previously, you could quite happily say, ‘we’ll protect our financial systems, we’ll protect our data protection requirements and look after the personal data’, but now they’re just after anything. Anything.”

Roud said: “I think one of the biggest risks [is] there’s a big push towards trying to offer up the public sector services as an Amazon-type service…customer portals where people can log on and do everything once…yet at the same time…we’ve got these legacy applications that we’ve got issues with in our own user community, but we’re now going to push that out into a wider community. I honestly don’t think we’re quite ready for it.”

Scottish Government head of the Office of Protective Security, John Campbell, noted that going back five or six years “it was reasonably straightforward, because you just locked everything down and the user couldn’t really do anything to an extent that could cause that much damage.”

The Scottish Government’s strategy now is all about opening things up, he said, so that users can do what they want to do, including at home, but with the risk managed.

“What we have done is put massive investment in looking at traffic and analysing things proactively using threat intelligence to prepopulate the systems with known malicious command and control centres, things like that, so we know we may still get hit with ransomware or something, but we hope that known ransomware will be picked up at the point of entry and dropped immediately.”

This has involved refocusing attention on investing in the technology and skills to be able to monitor threats in real time proactively and try and prevent them. Technologies used include Darktrace and Logarithm. These can flag up things like people sending information out of the organisation, either information they probably shouldn’t be sending out or vast quantities of information, and it means Campbell’s department can pick up the phone immediately to ask the user for an explanation.

“Nine times out of ten there’s a legitimate business reason for doing it. The other one time we’re on it immediately. We haven’t waited until there’s significant threats and we haven’t tried to mop up the incident two, three days after,” he said.

“The key thing for me is visibility,” he continued. “How many of you know every part of your infrastructure, including all the segregated environments, what’s sitting in there, what are the channels into the core network? One of the main things for me was I cannot protect what I can’t see.”

There is also accountability within the Scottish Government as a whole organisation, with deputy directors of directorates responsible for signing off on Dropbox use - they will be held accountable for any leaks.

Campbell was able to persuade the Scottish Government to put in the necessary investment, but there was recognition in the group that for smaller public sector organisations such as the councils, SEPA and Skills Development Scotland, they would be unable to afford all the programs or get sufficient staff to run a SOC to constantly monitor threats, therefore, a shared solution would be helpful.

“The problem I see in Scotland is that everybody’s doing it independently,” said Capita SWAN’s Martin Gray.

“My concern, certainly in the Scottish public sector, is that some organisations can’t afford to do it, don’t have the resources to do it and I think that’s where there maybe needs to be a collective approach,” said Campbell.

“My written ambition and strategy is that we can expand a central capability to help some of the wider public sector. Now, that might not be popular with some of my public sector colleagues sitting round the table, where there’s an overarching security or cyber assurance provided to you and access to your network is monitored somewhere else, so these are the cultural things that I think I’ll have to deal with over the next couple of years.”

“I don’t think you should fear any lack of input or desire to take on good guidance from local authorities, Reid responded. “In fact, I think we’re screaming out for it, because we’re fed up trying to reinvent the wheel, we do not have the resources to do that any longer.”

Slater worked on a similar shared government security platform in New Zealand and noted that the possibility of collaboration was one of the advantages of being in the public sector.

“I think the communication and working together to understand where you might have some mechanism to pool resource, commonality, I think that’s really powerful, because a lot of private sector firms, they just don’t do that, they can’t do that or they’re not allowed to do that,” he said.