Tackling Cyber Threats In The Public Sector

Uploaded on 2025-01-17 in TECHNOLOGY--Resilience, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Consulting

Last year, the Labour government entered into power during a period of increasingly sophisticated cyber threats - many leveraging AI - across the UK. These cyber attacks, ranging from ransomware attacks to phishing, have been launched against several industries - but a growing number have targeted the public sector.

In July 2024, the UK’s data privacy watchdog reported that the personal details of millions of UK voters were left "vulnerable to hackers" because passwords were not changed and software was not updated. Alarmingly, this gave attackers access to the Electoral Commission's systems for over a year before the vulnerability was fixed.

To combat the growing cyber threats targeting public infrastructure, and to boost public sector cyber resilience, the UK government has introduced new cybersecurity regulations. These enforce consumer protections against hacking and cyber attacks, and mandate that internet-connected smart devices meet minimum-security standards by law.

However, the government will need to take further steps to achieve complete cyber resilience and to enhance the nation’s defences against attacks.

A recent Yubico survey looking at global authentication trends revealed that 70 percent of respondents had been exposed to cyber attacks in their personal lives in the past 12 months. What’s more, nine in ten cyber attacks begin with phishing according to recent research by Deloitte. Clearly, greater cybersecurity measures and increased focus on user education are critical to prevent successful attacks through phishing, and there is no better time for the British government to implement stricter cybersecurity measures than right now. In order to do so, the government must ensure all public sector organisations develop cyber resilience and have the necessary tools in place to protect themselves against cyber threats.

Moving On From Insecure Legacy Authentication To Modern MFA

Despite the dangers, many organisations still rely on outdated authentication methods like passwords to protect themselves and their data. In fact, Yubico’s survey found that 39 percent of employees believe that simply using a username and password is the most secure way to protect accounts and information - despite being an inherently insecure and outdated form of protection.

While employing multi-factor authentication (MFA) is more secure than relying solely on passwords, some MFA methods are much more effective than others. For instance, legacy MFA methods like one-time passwords (OTPs), which cyber criminals can intercept, will always be susceptible to sophisticated phishing attacks. Furthermore, artificial intelligence (AI) can easily replicate authentication methods which utilise facial or voice recognition – exacerbating the threat to users and enterprises.

To significantly boost public sector security, users and organisations should employ modern MFA tools like passkeys, including hardware security keys.

These phishing-resistant solutions work by authenticating users using cryptographic security keys stored on their computer or device, offering the highest level of security for managing logins across platforms and devices. Security keys are also phishing resistant, and remote attackers cannot intercept or steal them, meaning only the key holder can access their accounts.

Additionally, cyber criminals cannot copy the passkeys stored on hardware devices, and authentication is only possible on verified sites or apps, meaning account credentials are not issued to hostile websites, even if the user is deceived. By using passkeys to protect the accounts of public sector professionals, users and organisations can ensure their data is kept safe even in the event of an individual being tricked by a phishing attack.

It’s Time For  A Phishing-Resistant Future

Nevertheless, to ensure the highest level of security and decrease the likelihood of phishing attacks succeeding, public sector organisations must implement measures beyond merely investing in phishing-resistant authentication: they must focus on developing phishing-resistant users. With well over half of data breaches succeeding due to a human element, such as falling victim to a social engineering attack or a lapse in judgement, developing phishing-resistant users is more important than ever.

Given that users frequently switch between platforms and devices, conventional authentication techniques are fundamentally phishable. In cases when a new employee is being onboarded or when a device is lost or stolen, organisations tend to temporarily default to phishable user registration, creating opportunities for a phishing attack to take place when these vulnerabilities are exploited. Ensuring phishing resistance in the processes of registration, authentication and recovery is essential for developing phishing-resistant users.

To truly eliminate the risk of phishing, organisations must equip employees with phishing-resistant MFA and consider using hardware security keys as their primary method of authentication. Public sector organisations should also adopt technology-driven solutions that reduce dependence on user training, while offering vital education regarding the fundamental principles and advantages of phishing-resistant MFA and sound cyber hygiene practices.

While the UK government has taken steps to develop greater cyber resilience across the public sector, there is still more to be done to ensure that organisations’ and individuals’ sensitive data remain protected. This starts with promoting a phishing-resistant culture, of which passkeys are the basis.

Niall McConachie is Regional Director (UK & Ireland) at Yubico

Image: Ideogram

You Might Also Read:

Mobile Authentication: The Good, The Bad & The Ugly:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« President Biden’s Final Cyber Security Executive Order  
Salt Typhoon - The Chinese Telecom Hack »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Egress Software Technologies

Egress Software Technologies

Egress Software Technologies is a leading provider of data security services designed to protect shared information throughout its lifecycle.

AhnLab

AhnLab

AhnLab provides a range of information security solutions including network security, endpoint security, antivirus and consulting services.

Hague Security Delta (HSD)

Hague Security Delta (HSD)

The Hague Security Delta Campus is home of the leading cyber security cluster in Europe with an Innovation Centre, labs and training facilities.

FraudHunt

FraudHunt

FraudHunt protects your website from account fraud, ad fraud, fraud clicks, and malicious bots.

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

TDRA focuses on regulating the telecommunications sector and enabling government entities in the field of smart transformation. It is responsible for the overall digital infrastructure in the UAE.

Blockchain Firm

Blockchain Firm

Blockchain Firm is a leading Blockchain based software solutions and service provider with our roots of expertise running deep into the technology.

Energia Ventures

Energia Ventures

Energia Ventures is a three-month intensive accelerator for entrepreneurs with an innovative business in the energy, smart grid, cleantech, and cybersecurity sectors.

CoverWallet

CoverWallet

CoverWallet combines deep analytics, thoughtful design and state of the art technology to help small businesses with all their insurance needs including Cyber Liability.

24By7Security

24By7Security

24By7Security are Cybersecurity & Compliance Specialists with extensive hands on experience helping businesses build a defensive IT Infrastructure against all cyber security threats.

AppOmni

AppOmni

AppOmni is the only SaaS CSPM solution that gives teams all the tools they need to be successful – from security posture management to monitoring and detection to continuous compliance.

Censys

Censys

Our customers rely on Censys data to get the global visibility they need of their attack surfaces in order to proactively prevent nation-state attacks and emerging threats.

Rayzone Group

Rayzone Group

Rayzone Group offers a wide range of Cyber Security solutions and services, providing hollistic protection suitable for both enterprises and National cyber security centers.

NARIS

NARIS

NARIS is the leading provider of an integrated Governance, Risk and Compliance platform called NARIS GRC.

MAXXeGUARD Data Safety

MAXXeGUARD Data Safety

MAXXeGUARD: The High Security Shredder. MAXXeGUARD easily destroys hard disks up to the highest security levels as well as other digital data carriers like SSD’s, LTO’s, USB’s, CD’s etc.

CyberUSA

CyberUSA

CyberUSA is a collaboration of leaders and states focused on a common mission purpose of enabling innovation, education, workforce development, enhanced cyber readiness and resilience.

Segra

Segra

Segra owns and operates one of the nation’s largest fiber networks and provides best-in-class broadband and data security solutions throughout the Southeast and Mid-Atlantic.