The threat from cyber crime is growing, with the UK witnessing an increase in criminals targeting theft of citizen and employee information, credit-card data and organisations' intellectual property.
To tackle this, last month the Association of Chief Police Officers unveiled three regional e-crime policing centres. The government has recognised the need for a cyberspace that safeguards free speech, provides resilience for commercial organisations and the public sector to operate effectively, and which sustains confidence for citizens to go about their everyday lives.
It is too early to understand exactly how these policing centres will operate. Nevertheless, dealing with cyber threats, whether criminally motivated or not, requires a comprehensive approach that evaluates the risk in relation to the damage to the interests of government and citizens.
Responses must be flexible to allow local authorities and departments to proactively protect themselves from increasingly sophisticated and complex security threats and attacks. In closing off one area of vulnerability, criminals are motivated by financial reward to find another, therefore tackling the threat is more than an individual step – it is a continuous process to learn, monitor, analyse, decide and respond.
Public sector organisations must pursue measures to improve the protection of all their systems and not limit them just to those accessible from the internet. The government has ranked cyber security as a tier one national security priority, and it should command the attention of organisations accordingly because of their legal, financial and reputational interests.
First, it is essential that organisations elevate cyber security to board level. Second, an organisation's valuable assets – in particular data – should be identified and the risks to them understood. Underlying network topology needs to be recorded.
Measures can then be taken to control network security, user access and administrator access to confidential data and critical systems. Indeed, segregation of high-value information may be merited.
Third, up-to-date software should be used. For example, systems providing online services should be tested for vulnerabilities and patched, endpoints should be protected and compliance enforced. This must also include smartphones: according to IBM's X-Force team, in the first half of last year there was a doubling of mobile exploits and triple the number of critical vulnerabilities and malicious attacks.
While technology plays a role in all of these, alone it is insufficient. It must be operated effectively with IT service management practices, and staff must know how to use systems properly. This highlights the importance of the security culture of the whole organisation when defending against threats.
Security culture must be built on understanding and trust. A large element of this depends on behaviour – rules and guidelines form just part of it. Behaviour can be improved and motivated using goals that reduce security risks: it must be done positively rather than by creating a culture of fear.
Staff have to be made aware of those assets that are valuable to the organisation and must understand why measures are taken to protect them. There is a balance to be struck between the use of enforcement technology and over-zealous IT measures that are resisted and prove counterproductive.
It is no good deploying technology that is designed to protect assets, only for it to be thwarted through staff circumvention. Greater awareness through education and internal publicity will help.
Individuals must take personal responsibility for handling removable media, documents and the disposal of both. Confidential documents must be appropriately marked so that they are respected and protected by individuals. This means safeguarding confidential documents and data and the bags they are in, and it means securing them when away from departmental offices.
More is needed to be successful. Executives and managers must lead by example to create a climate for such behaviour to be embedded as the norm. It is no good expecting staff to behave responsibly if premises are not properly protected because locks to doors and cabinets are poorly maintained. Furthermore, managers must encourage openness for staff to express any security concerns they have.
Staff and managers should all be alert to abnormal behaviour of a colleague. Many reasons may lie behind such a change, but it may be increasing the risk of data breach. Such detection does need to depend solely on the vigilance of individuals; security culture should be supported by technology.
Security intelligence can be used to rapidly identify anomalies in system usage, both internally by staff and originating from outside the organisation. As well as staff access to systems, security intelligence takes account of suspicious use of data, application activity and infrastructure protection.
Overall, an integrated approach that is capable of prediction, prevention and detection must be taken to protect the public sector's most valuable assets.
Chris Nott is the public sector software technical leader at IBM UK and author of Cyber Security: Protecting the Public Sector.