Managing cyber threats to public services

Jessica Figueras, Chief Executive of cybersecurity consultancy Pionen and Vice Chair of Trustees at the UK Cyber Security Council, talks about the challenges facing public sector organisations in managing cyber threats.

With significant increases in ransomware and phishing attacks, Figueras emphasises that all public bodies are targets of hackers.

“With the use of generative AI, attacks are becoming even more sophisticated. Not so far in the future, we are going to be having deepfakes which are going to make attacks much more sinister,” she says.

Speaking in the aftermath of an intergovernmental conference in early 2024 which focused on controlling the privileged proliferation of commercially focused bad actors, Figueras states that the main challenge is a new generation of hackers who “are being very entrepreneurial and selling the tools that they have developed and their services to other bad actors,” which she describes as “hacking as a service”.

“We are all in the firing line,” she observes, adding: “The harm to citizens that can come about as a result of these threats is something which we cannot ignore. In Australia, for example, there was a very significant breach of private healthcare data, which meant the private medical details of 10 million citizens were posted on the dark web.”

Contrasting the constant advancement of innovation among hackers, Figueras compares this with the pace of cybersecurity action from governments throughout the world.

“Governments and institutions do not tend to move fast,” she says, adding: “We are struggling with the inability to recruit enough skilled cybersecurity professionals we need to do to do the actual work.

“Cybersecurity in the public sector has often suffered from a very piecemeal approach which is inherently reactive. We need to think about a proactive capacity, which evolves each year and is insulated against the winds of change, through budget cycles, and through boom-and-bust economics. The way we are going to do that is by focusing on people, process, and technology.”

Technology

“Cybersecurity is primarily first and foremost a risk management discipline, Figueras asserts. “At the heart of risk management is the idea that we have to not only
know what all of our risks are, we need to know which are most important so we can rank them.”

The main focus, according to Figueras, at the moment for public service organisations is the idea of being secure by design. Looking at new service development, she explains the nature of data-driven cyber defence which is driven by risk.

“It is about understanding intelligence and quickening the pace at which we can pull in information about threats and vulnerabilities and ensuring that we are prepared to respond more quickly.

“To ensure that there is an avenue for this, central agencies, such as the UK’s National Cyber Security Centre, are going to be hearing from – and also increasingly between – governments and trusted international partners, sharing these insights working to defend as one.”

Process

“Almost every large organisation that has been around a while will have accumulated an awful lot of technology over the years and a lot of security controls too,” Figueras contextualises.

With some public sector bodies holding more sensitive citizen data than others, Figueras asserts that there is a need for organisations to ensure that frameworks are developed in a way which is “very specific to the organisation”.

“We live in a world where it is a reality of when – not if – we will face cyberattack. We need to detect incidents and events as they happen so that we can respond to them in real time. We need to be able to recover data and we need to we plan proactively for what recovery means because the warning signs are there.”

People

Figueras says that, within the cybersecurity sector, there is a tendency to “fixate on technology” while not enough focus is placed on “the human beings who actually do the important job of protecting us every day”.

“Amongst cybersecurity professionals, there are high levels of stress of burnout. There are really high levels of mental health challenges. As a result, staff turnover in that sector is high and this is a big part of the reason why organisations in every sector find it really hard to recruit and hold on to their cybersecurity professionals,” she says.

Asserting that cybersecurity professionals are often made “scapegoats” when major incidents occur, she argues: “Professionals need to be valued and supported because we need more of them.

“We need more upskilling, we need to build our capability, and we are not going to do that if we scapegoat, and leave them to their own devices.”

Concluding, Figueras states that adapting a working culture towards supporting people is the key to sustainable success in the cybersecurity sector.

“We are now in a place where we are starting to build security and from the start. To keep this momentum, we need engaged leadership which is accountable and interested in sustainable success while supporting its staff.”