The UK public sector faces an ever increasing barrage of cyber attacks every hour of every day. Though many of these attacks, much like attacks seen across every sector, are entirely automated, there’s a growing number of targeted attacks conducted by highly-skilled and well-funded adversaries.
This growth of cybercrime and state-sponsored intrusions has been on a monumental rise over the last 15 years. As technology has improved, become more affordable and made its way into the hands of almost everyone, the nefarious drive to use this technology for financial gain and espionage has grown proportionally.
Alongside this, the time to market for public vulnerabilities has greatly reduced.
It’s becoming more common for exploit proof of concept code to be available shortly after a vulnerability is publicly disclosed (often within hours or days). While helpful in ensuring appropriate mitigations are developed, it also greatly accelerates the creation of automated exploitation mechanisms. This gives cyber criminals easy and cheap access to exploit tools that can deliver malware at scale, often without the need for human interaction.
The cyber security industry itself has become an industrialised economy, both through the research and sale of high value zero-day exploits and the increasingly cheaper cyber crime toolkits available on the darkweb. When cyber criminals are offering ransomware via an affiliate program and the cost of adequately protecting against attacks is far higher than it is to procure them – the public sector has a major issue.
The UK government’s response to this growing threat was clearly outlined in its National Cyber Security Strategy 2022-2030 (published February 2022).
“Government’s critical functions are to be significantly hardened to cyber attack by 2025, with all government organisations across the whole public sector being resilient to known vulnerabilities and attack methods no later than 2030.”
– National Cyber Strategy 2022-2030
Despite providing some very clear plans for public sector organisations through its Vision, Aims, Pillars and Objectives – the headline statement that all critical functions are to be significantly hardened to cyber attack in just two and a half years and all public sector organisations must be resilient to known attack in seven and a half years, is a difficult thing to wrap your head around, but we’re here to help!
So what about these Alien space-hackers?
Cyber security commonly gets a bad rap and I struggled to understand why, despite working in the field for years, until I read this quote from The Phoenix Project by Gene Kim, Kevin Behr and George Spafford.
“They’re always coming up with a million reasons why anything we do will create a security hole that alien space-hackers will exploit to pillage our entire organisation and steal all our code, intellectual property, credit card numbers and pictures of our loved ones.”
– Bill Palmer, The Phoenix Project
It often feels like there’s 2 forms of risk: the clearly obvious and the frankly bizarre. I for one often have my mind focused on the alien space-hackers, which is somewhat understandable, having spent many years of my life helping the public sector defend against some of the craziest, most inconceivable cyber security threats that you couldn’t even imagine.
This however, is not the norm, we don’t all face the same risks. Because of this, a cyber security function can’t create a single template for doing security well, rolling it out across the public sector and calling it a day.
Equally, there is no one silver bullet when it comes to defending against risk. There is no such thing as a zero risk, fully secure solution. Cyber security risk can only be understood, managed and remediated. Organisations must plan for the worst, defend for the known, then monitor and respond to the rest. And as the threats evolve, so must the response. Cyber security is never done – it’s a culture to embed.
Why Made Tech?
Building securely has been a key part of Made Tech’s delivery philosophy since its inception in 2008, but it’s become clear over recent years that our partners in the public sector have struggled to keep up.
There are many things that impact this, from a lack of skilled resources, budget constraints and the focus on adding features above securing the basics.
Providing a dedicated cyber security consultancy service that sits alongside and compliments our growing set of services enables us to continue in our core purpose to positively impact the future of the country by using technology to improve society, for everyone.
The threats may never end, but that doesn’t mean we want to lock you into a never-ending commitment to us as a cyber security consultant. As with our track record with technology delivery, our approach is to help instil the culture, competencies and ways of working to leave your organisation fully equipped.
Because defending the public sector from cyber attack is incredibly important, but making sure the public sector is empowered with the technology, knowledge and support to continually defend itself is Made Tech’s mission.
If you’d like to hear more from us on cyber security and the public sector, sign up for Made Tech Insights to get new blog posts and other content delivered straight to your inbox.