03 October 2024

Mark Jow, technical evangelist, Gigamon

The UK public sector is failing in terms of its cyber resilience. Over the last few months, we have seen cyber-attacks of significant scale affect the MoD, Electoral Commission and the NHS.

The new UK government brings with it the hope of change. It must lead by example in the public sector and incentivise or regulate to get more organisations to follow best practices for enhanced cyber-resilience. It is encouraging to see that steps have already been taken in pushing forward The Cyber Security and Resilience Bill in the King’s Speech on 17 July, which aims to build on the NIS regulations and ‘strengthen our defences ensuring that more essential digital services than ever before are protected.’

Understanding the threat
Recent research revealed that 37% of recent breaches go completely undetected by organisations’ security tools. This indicates a 20% rise in missed security breaches over the last year. While cyber criminals continue to innovate and find new ways to evade traditional security controls, ever more complex IT environments pose organisations’ security stacks with a serious challenge.

For the public sector, the cloud offers optimised workflows, scalability, and more efficient use of resources. But, just as private organisations have experienced in their cloud adoption journeys, the hybrid cloud introduces a wider attack surface that conventional cloud or on-premises security tools might struggle to monitor accurately. In modern, hybrid cloud environments, network blind spots are proliferating, allowing criminals to hide out and launch attacks completely unseen.

“Recent research revealed that 37% of recent breaches go completely undetected by organisations’ security tools. This indicates a 20% rise in missed security breaches over the last year.”

Legacy hurdles and visibility
Unlike their private sector counterparts, public sector organisations still rely heavily on legacy systems. Earlier this year, a government report highlighted that 43 legacy IT systems across government are at a critical level of risk — 11 of which are in the MoD. Integrating these legacy systems with a hybrid cloud strategy only adds to complexity and according to research 83% of global IT and security leaders believe that cloud complexity increases cyber risk. The problem is that traditional on-premises monitoring tools lack the necessary visibility into cloud-based threats, while in turn, cloud-centric tools often have limited insight into on-premises traffic. This creates a significant ‘visibility gap’ that attackers are adept at exploiting.

Ultimately, cyber-resilience must start with improved visibility – you can’t manage what you can’t see. That means real-time, network-level intelligence that can spot suspicious activity even in encrypted traffic.

Reducing inherent trust
Public sector security teams must move beyond the common ‘trust but verify’ approach among internal stakeholders and employees, instead working towards a Zero Trust architecture. When passwords are easily stolen, phishing is rife, and unpatched home devices create security gaps, inherent trust introduces far too much risk. Multi-factor authentication (MFA) is key to this.

Architecturally, this should be paired with network segmentation and real-time, ongoing threat monitoring to detect and remediate any attackers moving laterally within the system. This offers ‘defence in depth,’ meaning that if one security barrier fails, bad actors cannot roam freely. Deep observability is vital to achieving this, combining real-time network intelligence with traditional logs, metrics, events and traces insights to give a complete 360-degree picture of all data in motion. Only then can IT teams prevent hidden threats.

Supporting tool investments
As threats continue to evolve and proliferate, organisations are tempted to throw more investment into security tools to mitigate the rising risks. But this ultimately leads to bloating tool stacks with no real security improvements. With 9 in 10 organisations reporting that they are regularly investing in new tools, but 69% of security leaders reporting that their teams are overwhelmed by tool sprawl, it’s clear that this is not the answer.

Organisations need to turn their attention back to their existing tools to determine where they work well and where they create blind spots or need support. This means creating a stack of tools that work in a cohesive manner and improving tool efficiency by focusing on high-fidelity network data. By employing tactics like application filtering, security teams can separate high-risk traffic from low-risk, ensuring decryption efforts are focused where they matter most. Additionally, deduplication techniques prevent redundant decryption of the same data packets, significantly reducing processing load and saving valuable resources.

A data-driven approach to security stack optimisation ensures existing tools operate at peak efficiency. This frees security teams from the burden of managing a bloated toolset, allowing them to focus on real threats and streamlining security operations. When coupled with real-time network visibility and a Zero Trust strategy, this sets any public sector organisation on the right path to better cyber resilience.