Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

Public Sector

GUEST BLOG: SME collaboration delivering effective Public Sector IT security

960 640 Stuart O'Brien

Written by Bernard Parsons, CEO, Becrypt

When Becrypt began developing security technology for government more than a decade ago, relationships with Systems Integrators were the only viable route to understanding and accessing customer requirements.

Our experiences today are of a vastly more diverse supply chain, with some major government programmes consuming our services as part of a collaborative ecosystem of cyber security SMEs.

The public sector is under intense pressure to transform its services by delivering better, more reliable experiences, more efficiently for UK citizens. Technology is at the heart of that ambition.

User expectations increase exponentially as consumer tech evolves, added to which the opportunities emerging from private sector innovation in everything from Artificial Intelligence (AI) to big data analytics are so significant that the public sector has an obligation to establish how they can be deployed for public benefit.

Nevertheless, unlocking the advantages of flexible, mobile, data-driven services requires effective cyber security. Public sector data is incalculably valuable; from citizens’ personal identifiable information to highly classified government records, the risk of compromise by accident or malicious intent must be appropriately managed.

Within one major government programme, we are actively collaborating with ten innovative SMEs working directly with government to deliver cloud-based services and mobile platforms that have functional and performance characteristics more typical of our faster-paced private sector customers than government systems of old, whilst achieving the ‘high assurance’ requirements of sensitive government networks.

This new way of working has been driven in part by a convergence of public and private sector requirements, both in terms of technology expectations and cyber threat. To help drive the required innovation, government departments now engage directly with SME’s through agile sprint processes, supported by lighter-weight contracting vehicles, leveraging the agility of SMEs and their desire to align innovation with emerging customer requirements.

Whilst agile SME suppliers have flexibility to tailor solutions closely to public sector customer requirements, government’s relatively recent desire to avoid bespoke systems, combined with market convergence, allows the same R&D costs to meet the needs of broader markets.

For example, Becrypt has worked with the National Cyber Security Centre and other government departments to develop a ‘Cloud Client’ End User Device platform for accessing cloud and online services, leveraging open source components to develop a security-focused operating system. As a ‘born-in-government’ product, we have then been able to deploy the same technology across other security conscious organisations, such as those within the Critical National Infrastructure.

The wider marketing of products built for, or at least influenced by government is helped in part by the thorough technical due diligence or product assurance that government typically undertakes. Such activities are very resource intensive but can nevertheless be a very effective mechanism for an SME needing to establish its first market for a new product. Using product assurance or system accreditation as a meaningful differentiator, is more viable for an SME than the alternative of competing with the vast marketing budgets of multinationals, allowing a beachhead to be created within government, before ‘crossing the chasm’ to adjacent markets where requirements now overlap.

There will of course always be an important place for System Integrators as part of the cyber security supply ecosystem for government, and indeed many are evolving internal structures to promote greater agility, innovation and collaboration through mechanisms such as ‘Intrapreneurship’.

But in our experience, collaboration between cyber SMEs over recent years, combined with new public sector engagement models, has had a transformative effect on a number of key government IT programmes.

Under lock and key: how can the public sector keep data safe?

960 638 Stuart O'Brien

Dan Panesar, VP EMEA, Certes Networks

The public sector faces intense public scrutiny, especially when it comes to cybersecurity.

However, the launch of the National Cyber Security Centre in (NCSC) in 2016 suggests that the sector is beginning to take the issue of cybersecurity seriously, marking the Government’s commitment to making the UK a safe place to live and work online.

And it’s not just public scrutiny the sector has to contend with, but the global digital revolution means that changes are happening rapidly, and technology adoption is not happening as quickly as it should.

On top of this, the public sector has numerous regulatory and Information Assurance (IA) based obligations they are required to fulfil, making some organisations within the sector too scared to make changes or enforce new policies for fear of breaking the rules. 

Restricted budgets, small teams and intense workloads can often make cybersecurity a low priority. Rather than enforcing and developing proactive, robust strategies to keep the organisation’s data safe, teams end up working reactively to mitigate threats as they arise. Not to mention the complex and wide-reaching nature of public sector organisations, making coordinating the array of essential services, stakeholders and functions a near impossible task. 

Keeping up with digital change 

The digital transformation means that traditional connectivity solutions are being replaced to reflect cloud deployments, network function virtualisation and the ability to deploy meaningful orchestration-based management. To reflect the update of digital and online services, public sector networks are expected to grow at 15-25% per year; in order to keep up with this demand, users are becoming increasingly reliant on both high-speed and high-availability transport networks, whether they are MPLS, SD-WAN or 5G or a combination of networks to deliver information when and where needed. 

In the not so distant future, dependency on traditional hardware will become more challenging as additional capacity means the user may have to continuously upgrade its network to reflect growth. However, current and conventional approaches to data protection create numerous challenges particularly around scalability, performance, complexity, key management and key rotation.

Don’t shy away from new technology

The public sector needs to start embracing new technology; the prospect of digital transformation should be exciting, rather than daunting. As a sector with a reputation for being slow to adopt mobile technology, potentially due to concerns over its lack of security, there is a tendency to instead lock down data and restrict the use of technology altogether. However, this just isn’t sustainable, and a lack of mobile technology won’t keep the hackers out. 

If changes don’t happen soon, the public sector will get left behind. To keep up, it needs to recognise that a digital network with a mix of connected users, devices and applications, does not need to make an organisation vulnerable; no matter how complex it may be. Flexibility and digital agility are undoubtedly at the top of every government’s agenda, making it essential for organisations to embrace the technology available. However, instead of putting adopting technology that attempts to secure each entity itself, or worse, layering technology on top of technology with a security solution tied into the network, organisations need to focus on what’s really important – and that’s Information Assurance (AI). In order for organisations in the public sector to really be secure, rather than securing the network, the focus needs to be on protecting the data.

An organisation’s biggest asset

Data is arguably an organisation’s biggest asset; it’s the crown jewels that must be protected, and what the hackers will inevitably set their sights on when planning an attack. In reality, a fine won’t be enforced under regulations such as the General Data Protection Regulation (GDPR) for a breach to an organisation’s network; the fine comes into play when a breach results in data being lost or stolen. That’s the difference in value between an organisation’s network and its data. 

And the fact is, the public sector is quickly becoming a prime target for hackers. But how can organisations ensure their data is really protected? Firstly, organisations need to move to a data-centric, IA security model underpinned by a robust and strategic security overlay, on top of an organisation’s existing network and independent of the underlying transport infrastructure, making the network itself irrelevant. A software-defined security overlay enables a centralised orchestration of IA policy and by centrally enforcing capabilities such as software-defined application segmentation using cryptography, key management and rotation, data is protected in its entirety on its journey across whatever network or transport it goes across. 

For the public sector, this means organisations no longer need to fear technology; each application on the network and the data it holds will be kept secure, irrespective of any changes made. Furthermore, if a data breach does occur, as long as it’s encrypted it will be rendered useless to hackers, mitigating the potential damaging consequences of a breach. 

Quite simply, cybersecurity must be at the forefront of business strategy. Public sector organisations need to embrace technology, coupled with the right security architecture, or risk being left behind. 

Scottish Government outlines cyber security plans

960 640 Stuart O'Brien

The Scottish government has outlined its cyber strategy in a 48-page document – The Public Sector Action Plan on Cyber Resilience.

 The plan offers details to local authorities, Government departments and NHS boards on best practices for protecting themselves against cyber attacks. The Scottish Government fast-tracked the strategy in wake of the global cyber attack in May when 11 Scottish health boards were targeted by hackers.

 Discussing the plan, First Minister John Swinney said it would “encourage all public bodies, large or small, to achieve common standards of cyber resilience,” before adding: “I want our public sector to lead by example on strengthening cyber security, to help ensure Scotland is ready to deal with all emerging threats.”

 Some £200,000 is to be made available for organisations to assess, identify and improve cyber security issues, while ministers will also write to chief executives of Scottish public bodies to urge them to ensure all firewalls and security procedures are up-to-date with companies in public service chains asked to demonstrate how they have protected themselves.

 Colin Slater, head of cyber security at PwC in Scotland said: “To date we’ve been reacting to cyber security using frameworks that are almost 30 years old. That’s not representative of the risk we’re dealing with these days.

 “During that attack NHS trusts couldn’t take appointments, they couldn’t do imaging, they couldn’t prescribe drugs, couldn’t admit patients. The ultimate consequence is that you can’t deliver your public service.

 “Cyber criminals are brilliantly tooled up, they’re very dogged, they’re very very clever and they’re very fast and agile.”

 Dr Keith Nicholson, joint chair of the National Cyber Resilience leaders’ board’s public sector steering group, said by following the plan “Scotland’s public sector will be better protected against cyber attacks to the benefit of both the organisation and the citizens of Scotland.”