From a public sector perspective, over the last eighteen months the demands on IT have been greater than ever before. The initial strain came at the outset of the pandemic when IT departments within public sector organizations were forced to rapidly implement remote working for their own staff. The focus was on keeping the lights on and ensuring service continuity. In tandem with this, public sector IT teams also had to consider how they could best secure networks, systems and data as they started to do a lot more of their work online – a trend already underway pre-pandemic but that has been accelerated by Covid.
The move to staff working from home in particular, made it much harder for IT departments to update machines, add patches to them, and keep legacy, on-premise systems up-to-date and secure.
Legacy systems, including some that might have been created 20-30 years ago and updated incrementally, are a particularly tough challenge for public sector organizations since they have often not been built or developed from the outset with security in mind. Security is not embedded at the heart of these systems and how effective it is typically depends on a number of variables, including how efficiently suppliers provide updates and how frequently councils and other bodies apply them.
The security of legacy systems also depends to a large extent on the security of the networks these systems typically sit on. If those networks aren’t secure and they are hosted by the public sector organization itself, then that opens up other avenues for vulnerability. All these factors together are placing huge demands on public sector IT teams, and making it more difficult for them to deliver optimum levels of cyber-security. Yet, given that public sector IT systems typically hold large volumes of sensitive data, and that they have become a key target for cyber-criminals in lockdown, finding a solution to this problem is ever more urgent.
Ultimately, any solution has to come down to a combination of technology, people and processes. Councils, local government organizations and other public sector bodies have found over the past few years that they are more like technology organizations than they ever realized. As soon as a council website goes down for example, residents can no longer apply for particular services, update their details or submit service requests for a wide variety of purposes. They can’t get what they, as citizens, need.
To address this challenge, public sector bodies are increasingly moving to a cloud-first policy for their systems. Rather than just reverting to the default position of “we will stick with what we have got and it is too big a change for us to take on”, they have moved to a stance of “we will move to the cloud unless there is a very good reason for not doing so. And security has to be baked into that cloud-first position.”
The people element is also very important here. Security has to be everyone’s responsibility and people are even more important to the battle to maintain security than the technology they implement to do it. It is ultimately about much more than having the best, newest and most secure technology, it is having the skillsets to use that technology and manage it appropriately.. It is about understanding that there are internal threats to deal with as well as external threats and making sure all of these are dealt with appropriately, whether that be through user authentication and access permissions or a wide range of other elements of system security.
On one level, that’s about training and ensuring that the security awareness across the organization is universally high, no matter whether employees are working in the back office, or increasingly mobile and remotely at home.
Why data matters
One area where councils need to ensure they are laser-focused is protecting the security of their data. Encryption is key here to protect data both in storage and in transit. An example of the latter requirement is the need to protect data created by residents adding information onto a webform, or an app, which is subsequently transferred into a council’s CRM system, or into the back office system before being passed on to mobile workers. This means that the security of Application Programming Interfaces (APIs) which are used to connect different customer-facing and back-office systems together in a seamless manner is crucial.
Ensuring that data is secure in transit is key, particularly when it is sensitive personal or financial data, for example. All that has to be kept highly secure. That will typically involve encrypting the data and making sure it aligns to the latest and highest standards. All stakeholders also need to be aware of, and on top of, the fact that these standards are not static but will evolve over time to meet the emerging threats and growing sophistication of cyber-attacks.
Looking ahead the cybersecurity demands on the public sector will become more intense still with the growing use of Internet of Things’ (IOT)- connected devices and sensors, whether for smart street lighting, parking; waste collection sensors or air quality, for instance. All these are nodes or endpoints of the wider network and the security of these parts of the network and the data that flows through them will become increasingly important moving forwards. It is yet another aspect of the complex cyber-security challenges that public sector organizations either are already or will need to confront and tackle in the future. Once again, they will need a potent mix of robust and resilient systems and processes together with high-quality staff training and awareness in order to tackle them effectively.
Steve White, Head of Transformation Accounts, Yotta