Ensuring public sector safety in the digital age
Feature

Chris Dimitriadis, chief global strategy officer at ISACA looks at how public sector organisations can protect themselves.

Earlier this year, several hospitals across London were subjected to a sophisticated cyberattack that had devastating consequences for patients. With more than 1,000 planned operations and over 3,000 outpatient appointments postponed, the attack caused huge disruption for the NHS in the capital.

Cyberattacks are undeniably on the rise. In the UK alone, as many as half of all businesses report having suffered a cybersecurity breach or attack in the last twelve months.

But they are also becoming increasingly sophisticated. Hackers are moving at pace with technology and honing their skills to inflict maximum damage on their victims. Ransomware attacks remain the most acute type of cyber threat facing most UK organisations. And these are becoming increasingly more sophisticated.

Typically, organisations with complex supply chains face far greater risk. If one element of that chain becomes compromised, the whole organisation can be brought down. This means that when it comes to cyberattacks, nothing and no one is off limits, including public sector institutions such as the NHS and the Ministry of Defence.

So, how can organisations in the public sector better protect themselves against the threat of impending cyberattacks?

Regulation is being implemented

At the State Opening of Parliament in July, King Charles III announced the new Labour government’s plans. One of these plans was the Cyber Security and Resilience Bill, something that has been welcomed with open arms by the technology and cybersecurity industry.

A significant way that the bill is set to protect public sector organisations is by proposing to enforce universal standards across supply chains. This will mean that every single company within the supply chain of a service such as the NHS, for example, will be required to comply with a certain standard of cybersecurity protection. Of course, it’s a positive step in the right direction, as bad actors can capitalise on any small weak link in a supply chain and launch an attack. The next move will be for this Bill to be followed through, introduced and enforced by the new government sooner rather than later to avoid further damage in the meantime. But regulation alone isn’t the only answer.

There’s strength in numbers

While implementing and enforcing regulation is vital when looking to protect organisations – both public and private – from succumbing to cybercrime, it’s not a quick fix solution on its own. In order to be successful and achieve the best level of protection, businesses need to have trained professionals in place. By employing staff with the right skills in the right places, they can not only diligently monitor for and implement any measures needed to comply with such regulation but can also be on the front foot, proactively monitoring for any warning signs or potential threats.

It is essential that upskilling and training for staff is available and provided at any company, big or small. The World Economic Forum reports that there is a global shortage of nearly four million cyber professionals. That number is vast, and is unfortunately growing. This cannot continue in a digital world where cyberattacks are on the rise.

According to research that we at ISACA carried out amongst our membership in Europe in 2023, a shocking 62 per cent of respondents reported that their cybersecurity team was understaffed.

The new UK government has proposed the introduction of Skills England, a new entity designed to fight the broader skills shortage issue that the country is facing by working to assess where current and future skills demand lies. The next step will be for digital skills to become a focus of that body, with a view to working on closing the skills gap.

Schemes like Skills England will help to both fill vital positions to make organisations more secure and create a more diverse workforce. By providing a range of opportunities and routes for those looking to enter the cybersecurity industry, workplaces will attract a variety of people from different backgrounds, fostering a team that has diverse thought processes and approaches to problem solving.

This is valuable, as a fully rounded cybersecurity team needs people with both technical and soft skills – someone that can think like a hacker and remain one step ahead is just as important as someone with excellent communication skills who can simplify the intricacies of cybersecurity to the board.

And if organisations can widen their approach by inviting people to interview that might not yet have the exact qualifications needed, but have the right attitude, aptitude and are willing to learn, they will see more applicants and more talent keen to sign up.

Time for change

Societies often suffer from a feeling of inertia. People follow in the employment footsteps of their ancestors, take static careers advice from their school or university or simply “find themselves” in a job. Typically, we lack dynamism and forethought when it comes to starting out on the career ladder. That needs to change.

From a young age, people need to be taught that there are career options beyond the ‘obvious’, including exciting, diverse job opportunities and career paths in the world of cybersecurity. Figures suggest that around 60 per of today’s school children will enter a career that hasn’t been thought of yet, which is no surprise with emerging technologies evolving at a rate of knots.

With that in mind, it’s important that the information available to young people is the most up to date, whether that’s by a change in curriculum, or by professionals heading into schools to talk to students about what their future could look like. Not only do young people need to be made aware of the career options open to them, but they also need to be told that they don’t need to be limited to taking specific technical qualifications to pursue a certain career.

When it comes to cybersecurity and AI, there’s a wider need to upskill people from the ground up. The school curriculum should be evolving now to cover the basics of AI technology, its applications and ethical use cases so that the next generation of leaders grows up steeped in knowledge of the future technologies, and resultant job opportunities.

Keeping up with the latest technologies

While AI can – and will – no doubt achieve powerful things, with the potential to revolutionise services and improve menial workloads across industries, it does pose a threat. And public sector organisations are just as vulnerable here as anybody else. It’s imperative that users of AI are aware and mindful of the risks associated. Education and training around emerging technologies such as AI is a non-negotiable if organisations want to feel secure and protected.

Regular training is the remedy for this. And while any cyber and IT teams should be offered such training as an immediate priority, it should be rolled out to the wider workplace, particularly if staff are regularly coming into contact with AI. Although they are the experts, the onus shouldn’t solely be on the cybersecurity or IT team, and staff throughout the organisation should at least be familiar with the basics and how these are set to change.

Yet research carried out by ISACA amongst our European membership earlier this year revealed that 40 per cent of organisations offered no AI training to staff and a further 30 per cent only offered it to those working in tech-related positions.

Legislation and guidance on AI will of course be welcomed alongside this. AI tools are informed by data, and so this data needs to be regulated and have the adequate protections in place. While being educated and having training on AI is imperative, users need to be secure in the knowledge that they are using a regulated and safe service and feel empowered to embrace newer technologies.

Ultimately, public sector organisations must make sure that they are taking the same precautions as private businesses. They are unfortunately just as vulnerable, and in a world full of increasing geopolitical tensions and state-sponsored attacks, national services with complex supply chains that are relied upon by large quantities of people are a haven for attackers on a destructive mission. A combination of legislation, compliance, and training will help businesses and sectors across industries to become more trusted and secure.