How the UK Public Sector Can Use Foundational Controls to Fight Back Against Digital Security Challenges By Emanuel Ghebreyesus

On 26 March, the UK government unveiled its Cyber Security Export Strategy. The Department for International Trade (DIT) created this strategy to help the United Kingdom capitalize on the world’s ever-evolving digital security market. In essence, the document lays the groundwork for deeper collaboration between the DIT and UK firms to export digital security products and services to other countries, including less mature “cyber” economies where buyers might still be unsure about how to best protect their digital assets.

Through the Cyber Security Export Strategy, the government hopes UK firms will be able to help foreign governments and private organizations with their digital security needs. Success with those international entities would not only elevate the reputation of UK companies in the digital security industry. It would also advance the United Kingdom’s mission to become one of the safest and most secure places to do business. 

While the Strategy seeks to help other governments with their digital security needs, the UK government has yet to take any equivalent action that strengthens its own public sector’s defenses. That’s not to say the need isn’t there, however. As reported by Public Sector Executive, UK organizations under government control lack adequate budget, resources and trained personnel to protect against digital threats. Together, these constraints prevent organizations from moving away from legacy platforms, investing the necessary time to achieve Cyber Essentials certification and achieving compliance with regulation frameworks. They also hamper enterprises’ ability to build a security culture and deepen their workforce’s security hygiene, resources which are key in the fight against incidents like the May 2017 WannaCry outbreak. 

To be sure, the lack of qualified and experienced personnel who are able to take CISO positions is a major issue in government organizations. They must be able to deal with unconnected security solutions and/or vintage/legacy systems they inherit whilst looking to implement strategies and policies. Oftentimes, they do not have enough staff to effect those changes and no concrete strategy or financial support by board/executive members. This makes it very difficult for them to achieve the required security posture that is desperately As a result, many CISOs don’t stay around for longer than two years before moving on to possibly a private firm.

Given these findings and challenges, it’s not surprising to learn British company Advanced found that 23 percent of UK public sector companies feel unprepared for a digital attack. Another study conducted by digital workplace provider Invotra revealed that 79 percent of IT managers in those organizations are most concerned about their systems’ data and security. These worries understandably get in the way of public sector organizations in the United Kingdom utilizing technology to improve efficiency, drive down costs and transform services so that they are simpler, faster and clearer.

So how can UK public sector organizations fight back against these issues?

The answer is foundational controls. It is costly to keep on adding more solutions or doing the same things in a different way as this will always result to the same outcome. It just produces the same complexity, the same unconnected strategy and more training for your team. Instead of wasting your time and resources, take an inventory of what solutions are in place and understand how many of them have the possibility to be connected or leveraged to provide a better outcome. Foundational controls provide the basis of a strategy that will assist in getting you there.

Implementing foundational controls helps companies hone in on the cornerstones of their digital security postures. By emphasizing asset discover, security configuration management (SCM), log management, vulnerability management (VM), file integrity monitoring (FIM) and others, organizations get better bang for their buck, that is, better security with more efficient use of their resources and time. This investment-cost justification usually comes from an easily integrated solution that provides better use of invested resources than “rip and replace” tools.

Foundational controls do much more than just save organizations money. In maintaining a dynamic inventory of known hardware/software and monitoring those assets for known vulnerabilities, security controls help companies better prioritize risk according to the business value of each device and program. At the same time, organizations can leverage log management to obtain granular information of what happens on their network, including the what, who and when of potential incidents. They can then use that information to strengthen their defenses against the next attack. Lastly, enterprises shouldn’t forget that security controls can help them avoid heavy penalties imposed by the General Data Protection Regulation (GDPR) and similar frameworks for companies that neglect to properly safeguard their networks.

To learn how Tripwire can help organizations achieve continuous compliance with GDPR using foundational security controls, click here. You can also learn more about each of the controls discussed above and how you can use them to choose a security solution that meets your needs by downloading this guide. 

For more information about security challenges facing government organizations, consider attending the 2018 Government IT Security Conference (GOVSEC) on 9 May at the Victoria Park Plaza in London.