Can you trust the government with your data?

Nigel Thorpe
10-Aug-2022

Nigel Thorpe, technical director at SecureAge looks at why an increase in cyber-attacks on government is causing a lack of trust and says it’s time for a new approach

We should not be surprised that Government organisations are routinely and relentlessly targeted by cyber attacks from criminal groups, hacktivists or nation-states. Of the 777 incidents managed by the National Cyber Security Centre (NCSC) between September 2020 and August 2021, around 40% were aimed at the public sector. This trend shows no signs of abating and Britain’s support for Ukraine against the Russian invasion has put UK Government in the crosshairs of more Russian-based cyber groups.

Earlier this year, Downing Street and Foreign Office computer systems were suspected to have been infected with spyware, according to the Canadian investigative group, The Citizen Lab. Ironically, the Pegasus spyware found is usually sold to governments to carry out surveillance by infecting phones with malicious software. The Foreign and Commonwealth Office was forced to call in BAE Systems Applied Intelligence to deal with the incident at a cost of nearly half a million pounds.

But it’s not just central the Government that is under attack. In December last year, Gloucester City Council’s IT systems came under attack affecting services such as benefit payments, planning applications and house sales. The malware, which got in via an email sent to a council officer has been linked to hackers operating out of Russia, encrypted large parts of the council’s files and restricted access to them.

In addition to external attacks. A freedom of information investigation last year by VPNOverview showed that UK councils had been hit by a staggering 33,645 data breaches caused by human error in the previous five years. Hampshire was the worst offender, followed by Gloucestershire, Lancashire and Warwickshire.

These disclosures and findings are worrying for all of us as central and local governments hold more sensitive information on UK citizens than any other organisation. After a recent attack on Hackney Borough Council in London, sensitive data about staff and citizens were allegedly published on the dark web.

It started with a phish

In addition to breaches within our government institutions, cyber criminals also use sophisticated phishing techniques to send fake messages requesting financial information, tempting recipients to click on malicious links or convincing their victims to make payments to rogue bank accounts.

We tend to take notice of official emails and it’s not surprising that many of us fall for messages appearing to come from HMRC, promising a tax refund.

Reasons to be fearful

While money is the big motivator for cyber attacks, it’s not the only target. Financial and personal data in many structured and unstructured forms is worth a lot of money to hackers who can ransom it or sell it for identity theft and phishing. The threats were compounded further through the pandemic with so many people suddenly working from home and cyber criminals preying on our anxieties. And most recently, the invasion of Ukraine and increasingly unstable global geopolitics has heightened the risks of attacks from state-sponsored criminal groups.

Time for a change

The traditional way to mitigate these risks is to try to identify and then block malicious activities using anti-virus software and new techniques such as threat intelligence centres, endpoint telemetry, zero-trust and user behaviour analysis. But cybercriminals have a habit of being one step ahead and while anti-malware vendors try to keep up, mainstream security is always one step behind. The problem is often compounded in government departments and local authorities that can’t match the IT security resources seen in the private sector.

So, why bother trying to identify anything malicious? A better way is to block all unauthorised processes from executing. In a public sector or business environment, there is generally no reason for a previously unknown application, executable or script to run. If it is not on your list of authorised processes, then it should be blocked- a bit like the bouncer on the door. If you’re not on the list, you won’t get in. Using this approach, ransomware attacks can be prevented before any damage is done.

The other mainstream approach to preventing data theft is to layer up defences to stop cyber criminals from getting in. But a compromised user account will pass all these tests, granting the ‘authorised’ user easy access to data, which can be extracted to the endpoint and then stolen by copying it externally.

Full disk encryption is frequently used to mitigate this problem because it encrypts your device. This is fine if you lose your laptop, but on a running system it will hand over decrypted data to every process that asks for it. And as cybercriminals can only steal data from running systems, full disk encryption cannot prevent this theft.

The answer is to encrypt all of your data, all of the time. But to work, full data encryption must be just as transparent and as easy to use and data needs to be encrypted at rest, in transit and in use no matter where it gets copied – including when it is stolen. This way, if cybercriminals steal data, it is useless to them, as they are unable to decrypt it – reverse ransomware you might say. You can’t demand a ransom for data that is already encrypted.

This approach also avoids the cost and hassle of deciding if data is sensitive or not. Rather than categorising data into different levels of sensitivity and treating them differently, all data is treated as sensitive. With the technology and processing power available today, encrypting everything at file level is a seamless and affordable way to protect data. Security is most effective when it is applied as close to the source as possible and you can’t get closer than the data itself.

Adopting this data-centric approach would make a big difference at a time when robust security is more important than ever. The UK's NCSC is calling for "increased cyber-security precautions", particularly for national critical infrastructure. Data-centric security goes to the heart of the problem, whether in central or local government, large corporates or SMEs. By securing data against theft and ransom we are beating the cyber criminals at their own game.