Tackling Cyber Threats In The Public Sector

Last year, the Labour government entered into power during a period of increasingly sophisticated cyber threats - many leveraging AI - across the UK. These cyber attacks, ranging from ransomware attacks to phishing, have been launched against several industries - but a growing number have targeted the public sector.

In July 2024, the UK’s data privacy watchdog reported that the personal details of millions of UK voters were left "vulnerable to hackers" because passwords were not changed and software was not updated. Alarmingly, this gave attackers access to the Electoral Commission's systems for over a year before the vulnerability was fixed.

To combat the growing cyber threats targeting public infrastructure, and to boost public sector cyber resilience, the UK government has introduced new cybersecurity regulations. These enforce consumer protections against hacking and cyber attacks, and mandate that internet-connected smart devices meet minimum-security standards by law.

However, the government will need to take further steps to achieve complete cyber resilience and to enhance the nation’s defences against attacks.

A recent Yubico survey looking at global authentication trends revealed that 70 percent of respondents had been exposed to cyber attacks in their personal lives in the past 12 months. What’s more, nine in ten cyber attacks begin with phishing according to recent research by Deloitte. Clearly, greater cybersecurity measures and increased focus on user education are critical to prevent successful attacks through phishing, and there is no better time for the British government to implement stricter cybersecurity measures than right now. In order to do so, the government must ensure all public sector organisations develop cyber resilience and have the necessary tools in place to protect themselves against cyber threats.

Moving On From Insecure Legacy Authentication To Modern MFA

Despite the dangers, many organisations still rely on outdated authentication methods like passwords to protect themselves and their data. In fact, Yubico’s survey found that 39 percent of employees believe that simply using a username and password is the most secure way to protect accounts and information - despite being an inherently insecure and outdated form of protection.

While employing multi-factor authentication (MFA) is more secure than relying solely on passwords, some MFA methods are much more effective than others. For instance, legacy MFA methods like one-time passwords (OTPs), which cyber criminals can intercept, will always be susceptible to sophisticated phishing attacks. Furthermore, artificial intelligence (AI) can easily replicate authentication methods which utilise facial or voice recognition – exacerbating the threat to users and enterprises.

To significantly boost public sector security, users and organisations should employ modern MFA tools like passkeys, including hardware security keys.

These phishing-resistant solutions work by authenticating users using cryptographic security keys stored on their computer or device, offering the highest level of security for managing logins across platforms and devices. Security keys are also phishing resistant, and remote attackers cannot intercept or steal them, meaning only the key holder can access their accounts.

Additionally, cyber criminals cannot copy the passkeys stored on hardware devices, and authentication is only possible on verified sites or apps, meaning account credentials are not issued to hostile websites, even if the user is deceived. By using passkeys to protect the accounts of public sector professionals, users and organisations can ensure their data is kept safe even in the event of an individual being tricked by a phishing attack.

It’s Time For  A Phishing-Resistant Future

Nevertheless, to ensure the highest level of security and decrease the likelihood of phishing attacks succeeding, public sector organisations must implement measures beyond merely investing in phishing-resistant authentication: they must focus on developing phishing-resistant users. With well over half of data breaches succeeding due to a human element, such as falling victim to a social engineering attack or a lapse in judgement, developing phishing-resistant users is more important than ever.

Given that users frequently switch between platforms and devices, conventional authentication techniques are fundamentally phishable. In cases when a new employee is being onboarded or when a device is lost or stolen, organisations tend to temporarily default to phishable user registration, creating opportunities for a phishing attack to take place when these vulnerabilities are exploited. Ensuring phishing resistance in the processes of registration, authentication and recovery is essential for developing phishing-resistant users.

To truly eliminate the risk of phishing, organisations must equip employees with phishing-resistant MFA and consider using hardware security keys as their primary method of authentication. Public sector organisations should also adopt technology-driven solutions that reduce dependence on user training, while offering vital education regarding the fundamental principles and advantages of phishing-resistant MFA and sound cyber hygiene practices.

While the UK government has taken steps to develop greater cyber resilience across the public sector, there is still more to be done to ensure that organisations’ and individuals’ sensitive data remain protected. This starts with promoting a phishing-resistant culture, of which passkeys are the basis.

Niall McConachie is Regional Director (UK & Ireland) at Yubico

Image: Ideogram

You Might Also Read:

Mobile Authentication: The Good, The Bad & The Ugly:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« President Biden’s Final Cyber Security Executive Order  
Salt Typhoon - The Chinese Telecom Hack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CCL Solutions Group

CCL Solutions Group

CCL is one of Europe’s leading digital investigation specialists, supporting law enforcement, government and organisations across both public and private sectors.

Cyber Security National Lab (CINI)

Cyber Security National Lab (CINI)

The Cyber Security National Lab brings together Italian academic excellence in Cyber Security research.

Rwanda Information Society Authority (RISA)

Rwanda Information Society Authority (RISA)

RISA is at the forefront of all ICT project implementation, research, infrastructure and innovation within the ICT sector in Rwanda.

Innovative Solutions (IS)

Innovative Solutions (IS)

Innovative Solutions is a specialized professional services company delivering Information Security products and solutions for Saudi Arabia and the Gulf region.

DeepCyber

DeepCyber

DeepCyber supports its customers, with an “intelligence-driven” approach, to improve their proactive detection and response "capability" of cyber threats.

Cyber Polygon

Cyber Polygon

Cyber Polygon is an annual online exercise which connects various global organisations to train their competencies and exchange best practices.

Rhino Security Labs

Rhino Security Labs

Rhino Security Labs is a top penetration testing and security assessment firm, with a focus on cloud pentesting, network pentesting, web application pentesting, and phishing.

IQ4 - Cybersecurity Workforce Alliance (CWA)

IQ4 - Cybersecurity Workforce Alliance (CWA)

Cybersecurity Workforce Alliance, a division of iQ4, is an organization comprised of a diverse range of professionals dedicated to the development of the cybersecurity workforce.

Network Utilities (NetUtils)

Network Utilities (NetUtils)

Network Utilities provide identity centric network and security solutions to organisations from Telecoms and ISPs to SMEs and large corporates.

Melius Cyber Security

Melius Cyber Security

Melius Cyber Security has developed a world-leading SaaS platform, Cyber Safe Plus, built around continuous assessment and improvement through vulnerability scanning and penetration testing

Allied Telesis

Allied Telesis

Allied Telesis delivers the secure, flexible, and agile solutions needed to meet the expectations of any industry’s critical mission.

stackArmor

stackArmor

stackArmor specializes in compliance and security-focused solutions delivered using our Agile Cloud Transformation (ACT) methodology.

West Midlands Cyber Resilience Centre (WMCRC)

West Midlands Cyber Resilience Centre (WMCRC)

The East Midlands Cyber Resilience Centre supports and helps protect SMEs and supply chain businesses and third sector organisations in the region against cyber crime.

Secure Diversity

Secure Diversity

Secure Diversity is an innovative non-profit organization with leaders that think out of the box to create strategies & solutions to increase diversity in the cybersecurity industry.

Check Point Software Technologies

Check Point Software Technologies

Check Point Software Technologies is a leading provider of cyber security solutions to governments and corporate enterprises globally.

Systal Technology Solutions

Systal Technology Solutions

Systal is a global managed network and security service and transformation specialist. We help enterprise-level businesses maximise the security and business value of their complex IT infrastructure.