It’s been three years since the WannaCry ransomware cryptoworm first appeared, causing untold damage to organizations all over the world. One of the worst hit was the NHS, with the attack causing 200,000 computers to lock out users, the cancellation of 19,000 appointments, and reportedly costing the UK health provider £92M.
Since then, the UK public sector has made great strides in trying to mount a stronger defense against cyber-attacks. But it’s an on-going battle – cybercriminals get more sophisticated and creative in their approach and public sector IT teams can feel under-resourced and over-stretched when trying to manage and mitigate the cyber-threat.
To establish the extent to which improvements are still required and help public sector IT teams manage the ongoing risk, we surveyed 1,000 central and local government employees. The report, The Unknown Threat, reveals where public sector organizations remain vulnerable and highlights practices that IT teams may be unaware of.
Below, we summarize three areas that stand out as prominent issues and provide some recommendations to help public sector organizations make improvements.
Increase cybersecurity awareness and training
A significant part of the issue is a widespread lack of awareness of cybersecurity and the best practice required to stay on top of it. Our research found that almost half of respondents have either not heard of, or do not know what ransomware is.
One of the ways in which ransomware can enter systems is through employees unknowingly clicking on malicious links or files. These will often be attached to emails in a cyber-attack known as phishing. The last few months have seen a significant increase in Covid-19-based phishing attacks, well-crafted emails that play on fears and anxieties about coronavirus.
Despite phishing being an incredibly common and well-known form of attack, 25% of public sector workers have either not heard of, or do not know what phishing is. 11% admit they have clicked on a link in an unsolicited email at work.
If people aren’t aware of a problem, then it stands to reason that it could be hard to defend against. This lack of awareness is made worse by a lack of training – 77% of respondents have been given no instruction in how to recognize ransomware, while 16% have had no cybersecurity training whatsoever.
Update Legacy Systems
Outdated operating systems are often targeted by hackers looking for security weaknesses – the WannaCry attack is a perfect example of this. It was an attack that took advantage of a number of NHS machines running the Windows 7 operating system but that hadn’t been patched with an April 2017 update that would have saved them.
Although around two-thirds of public sector workers said that their work PC currently runs Windows 10, a worrying 11% are still using Windows 7. This has not been supported by Microsoft since January 2020, so tens of thousands of PCS are potentially at risk.
Work to improve poor cybersecurity practices
With so many public sector employees currently working from home, it’s a good time to remind staff about best practice in cybersecurity. Passwords are a great example of this. In the research, 9% of public sector employees admitted to writing their password on a post-it note by their PC, effectively allowing anyone to log in and potentially steal data.
This is another way in which ransomware can enter a public sector organization. While the private sector minimizes this risk by using advanced multi-factor authentication methods such as security keys or biometric access, this practice is much less common in the public sector. Two-factor authentication (2FA) is one option that should be considered, yet our research revealed that 42% of public sector employees have not heard of, or do not know what 2FA is.
However, it’s not all bad news. A majority of respondents (84%) said they would know what to do in the event of a cyber-attack. And while public sector employees are working away from the office during the current pandemic, cybersecurity teams have had to issue a little more guidance about what to and how to act, than they perhaps might usually have done.
This is a strong starting point for a ‘reboot’ of cybersecurity across the public sector. As and when people return to the office to work, the best practice used during lockdown is a building point to provide better security moving forward.