Tackling Cyber Threats In The Public Sector

Uploaded on 2025-01-17 in TECHNOLOGY--Resilience, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Consulting

Last year, the Labour government entered into power during a period of increasingly sophisticated cyber threats - many leveraging AI - across the UK. These cyber attacks, ranging from ransomware attacks to phishing, have been launched against several industries - but a growing number have targeted the public sector.

In July 2024, the UK’s data privacy watchdog reported that the personal details of millions of UK voters were left "vulnerable to hackers" because passwords were not changed and software was not updated. Alarmingly, this gave attackers access to the Electoral Commission's systems for over a year before the vulnerability was fixed.

To combat the growing cyber threats targeting public infrastructure, and to boost public sector cyber resilience, the UK government has introduced new cybersecurity regulations. These enforce consumer protections against hacking and cyber attacks, and mandate that internet-connected smart devices meet minimum-security standards by law.

However, the government will need to take further steps to achieve complete cyber resilience and to enhance the nation’s defences against attacks.

A recent Yubico survey looking at global authentication trends revealed that 70 percent of respondents had been exposed to cyber attacks in their personal lives in the past 12 months. What’s more, nine in ten cyber attacks begin with phishing according to recent research by Deloitte. Clearly, greater cybersecurity measures and increased focus on user education are critical to prevent successful attacks through phishing, and there is no better time for the British government to implement stricter cybersecurity measures than right now. In order to do so, the government must ensure all public sector organisations develop cyber resilience and have the necessary tools in place to protect themselves against cyber threats.

Moving On From Insecure Legacy Authentication To Modern MFA

Despite the dangers, many organisations still rely on outdated authentication methods like passwords to protect themselves and their data. In fact, Yubico’s survey found that 39 percent of employees believe that simply using a username and password is the most secure way to protect accounts and information - despite being an inherently insecure and outdated form of protection.

While employing multi-factor authentication (MFA) is more secure than relying solely on passwords, some MFA methods are much more effective than others. For instance, legacy MFA methods like one-time passwords (OTPs), which cyber criminals can intercept, will always be susceptible to sophisticated phishing attacks. Furthermore, artificial intelligence (AI) can easily replicate authentication methods which utilise facial or voice recognition – exacerbating the threat to users and enterprises.

To significantly boost public sector security, users and organisations should employ modern MFA tools like passkeys, including hardware security keys.

These phishing-resistant solutions work by authenticating users using cryptographic security keys stored on their computer or device, offering the highest level of security for managing logins across platforms and devices. Security keys are also phishing resistant, and remote attackers cannot intercept or steal them, meaning only the key holder can access their accounts.

Additionally, cyber criminals cannot copy the passkeys stored on hardware devices, and authentication is only possible on verified sites or apps, meaning account credentials are not issued to hostile websites, even if the user is deceived. By using passkeys to protect the accounts of public sector professionals, users and organisations can ensure their data is kept safe even in the event of an individual being tricked by a phishing attack.

It’s Time For  A Phishing-Resistant Future

Nevertheless, to ensure the highest level of security and decrease the likelihood of phishing attacks succeeding, public sector organisations must implement measures beyond merely investing in phishing-resistant authentication: they must focus on developing phishing-resistant users. With well over half of data breaches succeeding due to a human element, such as falling victim to a social engineering attack or a lapse in judgement, developing phishing-resistant users is more important than ever.

Given that users frequently switch between platforms and devices, conventional authentication techniques are fundamentally phishable. In cases when a new employee is being onboarded or when a device is lost or stolen, organisations tend to temporarily default to phishable user registration, creating opportunities for a phishing attack to take place when these vulnerabilities are exploited. Ensuring phishing resistance in the processes of registration, authentication and recovery is essential for developing phishing-resistant users.

To truly eliminate the risk of phishing, organisations must equip employees with phishing-resistant MFA and consider using hardware security keys as their primary method of authentication. Public sector organisations should also adopt technology-driven solutions that reduce dependence on user training, while offering vital education regarding the fundamental principles and advantages of phishing-resistant MFA and sound cyber hygiene practices.

While the UK government has taken steps to develop greater cyber resilience across the public sector, there is still more to be done to ensure that organisations’ and individuals’ sensitive data remain protected. This starts with promoting a phishing-resistant culture, of which passkeys are the basis.

Niall McConachie is Regional Director (UK & Ireland) at Yubico

Image: Ideogram

You Might Also Read:

Mobile Authentication: The Good, The Bad & The Ugly:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« President Biden’s Final Cyber Security Executive Order  
Salt Typhoon - The Chinese Telecom Hack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Bryan Cave LLP

Bryan Cave LLP

Bryan Cave LLP is a global business and litigation law firm. Practice areas include Data Privacy and Security.

Devo Technology

Devo Technology

Devo Security Operations is a next-gen cloud SIEM that enables you to gain complete visibility, reduce noise, and focus on the threats that matter most to the business.

Alan Boswell Group

Alan Boswell Group

We are a Group of Companies providing specialist Insurance Broking and Risk Management advice and services including Cyber Risk cover.

Achtwerk

Achtwerk

Achtwerk manufacture the security appliance IRMA for critical infrastructures and networked automation in production plants.

Ravelin Technology

Ravelin Technology

Ravelin prevents chargebacks, fraud, and account takeover. Machine learning and human insight combine for highly accurate fraud detection and prevention.

Altipeak Security

Altipeak Security

Altipeak Security provide Safewalk - a flexible and robust authentication platform through which we offer improved security to SMBs, corporates, banks, insurance companies, healthcare and more.

Paladin Capital Group

Paladin Capital Group

Paladin is a leading global investor that supports and grows the world’s most innovative cyber companies.

Plug and Play Tech Center

Plug and Play Tech Center

Plug and Play is the ultimate innovation platform, bringing together the best startups and the world’s largest corporations.

Estio Training

Estio Training

Estio Training is a specialist digital and IT apprenticeships provider, dedicated to introducing new skills and developing existing talent in businesses across the UK.

KanREN

KanREN

KanREN is a member based consortium offering custom, world-class network services and support for researchers, educators, and public service institutions in the state of Kansas.

01 Communique Laboratory

01 Communique Laboratory

01 Communique Laboratory is an innovation leader in the new realm of Post-Quantum Cyber Security.

Orpheus Cyber

Orpheus Cyber

Orpheus Cyber provides predictive and actionable intelligence to our clients - enabling them to anticipate, prepare for and respond to the cyber threats they face.

Green Enterprise Solutions

Green Enterprise Solutions

Green Enterprise Solutions are a Namibian company providing Information and Communication Technology (ICT) services to corporate Namibia.

Averlon

Averlon

Averlon offers organizations peerless cloud security through Panoptic Cloud Visibility, Predictive Attack Intelligence and Rapid Remediation.

AUCyber

AUCyber

AUCyber is a leading provider of managed cyber security solutions and consultancy services, specialising in supporting Australian organisations and Government agencies.

Pontiro

Pontiro

At Pontiro, we are enabling a new era of data-sharing. Bridging the gap between protected data and valuable insights through the use of cutting edge Homomorphic Encryption.