How to build cyber resilience in the public sector
Being cyber resilient is a priority for any organisation, perhaps even more so in the public sector where huge amounts of personal data at stake. During the Government Data Show, Alex Harris, Head of NHS and Social Care Cyber Risk at NHSX, Keith Nicholson, Head of Cyber Threat & Vulnerability at HMRC, and James Blake, Field Chief Information Security Officer at Rubrik, joined Government Transformation's David Wilde to discuss ways in which the public sector can enhance its cyber defences.
Here are some highlights from the panel discussion.
Communicating cybersecurity standards to build citizen trust
Cybersecurity standards provide a common language and taxonomy that allows organisations to talk with stakeholders about their security position in a way that is understood by everyone involved. Benchmarking to external standards provides an objective measure of an organisation’s performance.
HMRC's Keith Nicholson said that although standards are important, what drives trust among citizens on cyber resilience is communication and engagement with the customer base.
“These are all good things but are they the things that stand out to citizens or customers when they're thinking about whether they trust your organisation or your brand?” asked Nicholson. “The things that really stands out are actually security incidents, and breaches happen to organisations all the time.”
How organisations respond to a data breach has a more lasting impact on citizen trust than standards alone, Nicholson added. Organisations that act swiftly in acknowledging a breach and work proactively with customers to manage the risk will fare better than those that are slow to respond or try to hide the incident.
“[Organisations that are] very transparent and honest are going to have a much better opinion than one which drags its feet when it comes to disclosure, and only informs customers because they've been told that they have to inform them,” Nicholson told delegates. “As a citizen myself, if I'm dealing with an organisation like that, I'm not going to trust them in the future to fix the problems that went wrong the first time round.”
NHSX's Alex Harris agreed that transparency and communication with citizens is a more effective way of building trust: “Many citizens spend time scrutinising the standards and also trusting themselves to be able to assess what are the right standards,” Harris said. “You’ve got to speak people’s language, it’s about how you communicate problems to customers.”
Ultimately, what industry professionals talk about is what makes it into the news, which in turn shapes public opinion. Harris drew on the example of the first iteration of the Covid-19 NHS app, which failed to gain citizen trust and attracted negative coverage.
“A lot of industry professionals felt [the app] wasn't meeting what they saw as key things, and that filtered through to the public opinion,” he said. “Most public opinion wouldn't have reference to best practice or standards, but it was ultimately derived from that.”
Lessons were learned and applied to the development of the more recent NHS app, which has had a greater acceptance and been downloaded by more than 10 million users to show proof of their vaccination status.
Harris added: “A lot of that does come from the fact that it does abide by those industry best practices and standards, and industry professionals speaking about how it can be trusted in that way filters through. I think standards have a big role to play but in a complex and indirect way.”
Endpoint security: is identity the new digital perimeter?
Panellists also spoke about the relevance of identity as the new digital perimeter. In Harris’s view, it is the only viable option since the old ‘castle-and-moat’ model is incompatible with how almost any network of service in the world operates nowadays. In the ‘castle-and-moat’ network security model, no one outside a network is able to access data on the inside, but everyone inside the network can.
Identity has to be the new parameter, we have to have zero trust.
“We're in an age of amazing digital transformation, of increasing accessibility in so many things, including healthcare,” Harris said. “The old security models don't work with that, so either you're not keeping up with the business, or you are dragging the business into the past. Identity has to be the new parameter, we have to have zero trust.”
He added, however, that this new parameter also needs to be easy for users. To make identity seamless for users, Harris and his team are looking at single sign-on, password-less environments and device-based authentication, among other things.
“Obviously, there are trade-offs to be made, that's not going to be appropriate for all environments,” he continued. “But in my dream scenario, a user’s fingerprint is read through their keyboard or something like that, they don't even know it's happening and they don't actually have to stop and authenticate once but from a systems point of view, they are authenticated constantly.”
Rubrik’s James Blake highlighted the challenges of implementing zero trust in large organisations with millions of assets and legacy technologies that can stretch back decades. Businesses should be realistic and come to terms that not all data can be constantly protected and that the zero trust model is not 100% infallible. Instead, he recommended organisations focus on the important data that needs to be secured.
Blake said: “It comes back to that digital transformation, we need to make sure we embrace the right levels of authentication and access restriction to be able to deliver zero trust across all of our IT infrastructure projects, which need security to be embedded. They're not just a tack-on at the end of the project but added during the design phases, the architecture phases and everything else.”
Instead of retrofitting zero trust into a fragile and complex environment, Blake suggested doing a risk assessment on the effects of replacing legacy systems to assess which benefits that would bring, how it would impact public service delivery and how it would benefit citizens. Although he also agreed that zero trust is the way to go, careful consideration should be given to all the different components that make central government complex.
“I think we need to get to truly secure data, otherwise government is going to waste a lot of money making the system more complex, and complexity is the enemy of resilience,” added Blake.