Embracing Zero Trust: The key to building public sector resilience
UK public sector is under siege in cyberspace. This year, we’ve already seen attacks on the Electoral Commission, ACRO, St Helens Borough Council, and Walsall Manor Hospital, to name a few. Each attack adds more fuel to the fire in already waning public confidence.
In fact, the UK is the third most targeted country in the world for cyberattacks, after the US and Ukraine. We have won the crown of “the cyberattack capital of Europe” – a title we did not want, nor one we wish to keep.
The problem is compounded by the public sector’s reliance on third party suppliers and contractors – a prime target for attackers looking for an easy way in. And it’s a strategy that’s working! The personal details of tens of thousands of police workers were recently compromised thanks to a ransomware attack on supplier Digital ID, Russian hackers gained access to the Ministry of Defence through a breach at supplier Zaun, and a attack on Ortivus saw two of England’s ambulance trusts resort to paper-based patient records. This suggests we are still placing too much implicit trust in suppliers to safeguard data, systems, and operations.
Sure, you can argue that to-date we’ve only really seen breaches of inconvenience. These attacks caused disruption to society and the economy, but they’ve not been catastrophic. But how long until that changes?
A common goal in cyber resilience
According to the National Risk Register 2023 there’s a 5 – 25% chance of a serious cyberattack on UK critical infrastructure in the next two years. The good news is the government has taken heed and is already taking action to strengthen defences - GovAssure, the cyber security strategy for health and social care 2030, and introduction of new cyber resilience targets for critical infrastructure are just some of the developments we have seen this year.
Each of these strategies point towards a common goal of cyber resilience. The government rightly acknowledges the changing landscape of cyber threats. Attackers want to cause maximum disruption. Creating chaos is the aim, achieving a ransom payout the main objective.
However, the task ahead is not easy. It’s a long and uphill battle to achieve true resilience by 2030, and with rising geopolitical tension and new the advent of AI-based cyber threats, we need to see immediate progress now. The public sector urgently needs a more modern and agile response to security incidents. One that moves away from static, network-based security models to focus on users, assets, and resources.
Changing a mindset: from “prevention” to “containment”
The starting point is an acknowledgement that we will never be able to prevent all attacks. It’s foolish to think otherwise - nation-states alone have an unlimited arsenal of funds and resources that will see us forever lost in an endless game of cat and mouse. We must shift the strategy towards "ensuring mission resiliency." This means accepting that breaches will happen and putting in place measures to stop them from spreading.
Zero Trust Segmentation (ZTS), also known as microsegmentation, is a proven and effective way to achieve this shift. Instead of trying to keep all bad actors out, the aim is to contain them quickly once they break in – stopping attackers from moving across networks or devices, and minimising operational risk and downtime. It works by dividing the network, data centre, cloud environment and endpoint estate into smaller segments, each with its own access and authentication policies that are validated every time a user requests access.
ZTS is also a foundational and strategic pillar of Zero Trust – a globally recognised strategy for reducing risk and increasing cyber resilience. The Biden administration has even gone as far as to incorporate Zero Trust within its national cybersecurity strategy – an approach that the UK government should consider replicating.
From laggard to leader
According to Gartner, by 2026, 60% of enterprises working toward a Zero Trust architecture will use more than one deployment form of microsegmentation – up from 5% in 2023. UK public sector cannot be left behind.
If not already, every government department should be taking proactive measures to prevent the spread of attacks. Technology advancements mean its easier than ever to deploy microsegmentation - even in the most complex IT environments. So the excuse of “we tried it before with firewalls and it didn’t work” no longer stands. Ring-fencing and protecting high-value applications and data must be the priority; restricting access to only that which is critical and necessary.
Another obstacle in the path to cyber resilience is the age-old problem of legacy IT. The government has committed to investing £2.6bn into fixing the problem but we must be realistic – ripping and replacing all infrastructure quickly is never going to be feasible.
Particularly for operators of essential services, such systems are not easy to retire or patch, leaving a huge proportion of government systems vulnerable. Instead, the focus has to be minimising risk and exposure to attack. At a very minimum, limiting access to systems and services with known vulnerabilities and imposing a strategy of least privilege.
Building a secure future
Cybercrime is a national threat. It costs the UK billions of pounds, causes mass disruption to business and services, and threatens our national security. The UK government has taken great strides to harden our defences, but are still we are no closer to eradicating the cyber problem.
For too long the focus has been on building deeper, wider moats with no thought about what happens once the moat is crossed. The renewed focus on resilience is changing this dynamic, however, we can’t afford to wait until 2030 for progress. We must couple long-term goals with a more immediate focus on imminent threats like ransomware and building resilience through lasting and strategic methodological shifts, like breach containment.
Cyber Security updates
Sign-up to get the latest updates and opportunities from our Cyber Security programme.