Tackling Cyber Threats In The Public Sector

Last year, the Labour government entered into power during a period of increasingly sophisticated cyber threats - many leveraging AI - across the UK. These cyber attacks, ranging from ransomware attacks to phishing, have been launched against several industries - but a growing number have targeted the public sector.

In July 2024, the UK’s data privacy watchdog reported that the personal details of millions of UK voters were left "vulnerable to hackers" because passwords were not changed and software was not updated. Alarmingly, this gave attackers access to the Electoral Commission's systems for over a year before the vulnerability was fixed.

To combat the growing cyber threats targeting public infrastructure, and to boost public sector cyber resilience, the UK government has introduced new cybersecurity regulations. These enforce consumer protections against hacking and cyber attacks, and mandate that internet-connected smart devices meet minimum-security standards by law.

However, the government will need to take further steps to achieve complete cyber resilience and to enhance the nation’s defences against attacks.

A recent Yubico survey looking at global authentication trends revealed that 70 percent of respondents had been exposed to cyber attacks in their personal lives in the past 12 months. What’s more, nine in ten cyber attacks begin with phishing according to recent research by Deloitte. Clearly, greater cybersecurity measures and increased focus on user education are critical to prevent successful attacks through phishing, and there is no better time for the British government to implement stricter cybersecurity measures than right now. In order to do so, the government must ensure all public sector organisations develop cyber resilience and have the necessary tools in place to protect themselves against cyber threats.

Moving On From Insecure Legacy Authentication To Modern MFA

Despite the dangers, many organisations still rely on outdated authentication methods like passwords to protect themselves and their data. In fact, Yubico’s survey found that 39 percent of employees believe that simply using a username and password is the most secure way to protect accounts and information - despite being an inherently insecure and outdated form of protection.

While employing multi-factor authentication (MFA) is more secure than relying solely on passwords, some MFA methods are much more effective than others. For instance, legacy MFA methods like one-time passwords (OTPs), which cyber criminals can intercept, will always be susceptible to sophisticated phishing attacks. Furthermore, artificial intelligence (AI) can easily replicate authentication methods which utilise facial or voice recognition – exacerbating the threat to users and enterprises.

To significantly boost public sector security, users and organisations should employ modern MFA tools like passkeys, including hardware security keys.

These phishing-resistant solutions work by authenticating users using cryptographic security keys stored on their computer or device, offering the highest level of security for managing logins across platforms and devices. Security keys are also phishing resistant, and remote attackers cannot intercept or steal them, meaning only the key holder can access their accounts.

Additionally, cyber criminals cannot copy the passkeys stored on hardware devices, and authentication is only possible on verified sites or apps, meaning account credentials are not issued to hostile websites, even if the user is deceived. By using passkeys to protect the accounts of public sector professionals, users and organisations can ensure their data is kept safe even in the event of an individual being tricked by a phishing attack.

It’s Time For  A Phishing-Resistant Future

Nevertheless, to ensure the highest level of security and decrease the likelihood of phishing attacks succeeding, public sector organisations must implement measures beyond merely investing in phishing-resistant authentication: they must focus on developing phishing-resistant users. With well over half of data breaches succeeding due to a human element, such as falling victim to a social engineering attack or a lapse in judgement, developing phishing-resistant users is more important than ever.

Given that users frequently switch between platforms and devices, conventional authentication techniques are fundamentally phishable. In cases when a new employee is being onboarded or when a device is lost or stolen, organisations tend to temporarily default to phishable user registration, creating opportunities for a phishing attack to take place when these vulnerabilities are exploited. Ensuring phishing resistance in the processes of registration, authentication and recovery is essential for developing phishing-resistant users.

To truly eliminate the risk of phishing, organisations must equip employees with phishing-resistant MFA and consider using hardware security keys as their primary method of authentication. Public sector organisations should also adopt technology-driven solutions that reduce dependence on user training, while offering vital education regarding the fundamental principles and advantages of phishing-resistant MFA and sound cyber hygiene practices.

While the UK government has taken steps to develop greater cyber resilience across the public sector, there is still more to be done to ensure that organisations’ and individuals’ sensitive data remain protected. This starts with promoting a phishing-resistant culture, of which passkeys are the basis.

Niall McConachie is Regional Director (UK & Ireland) at Yubico

Image: Ideogram

You Might Also Read:

Mobile Authentication: The Good, The Bad & The Ugly:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« President Biden’s Final Cyber Security Executive Order  
Salt Typhoon - The Chinese Telecom Hack »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CIO

CIO

CIO provides technology and business leaders with insight and analysis on information technology trends

GrammaTech

GrammaTech

GrammaTech is a leading developer of software-assurance tools and advanced cyber-security solutions.

Cryptus Cyber Security

Cryptus Cyber Security

Cryptus Cyber Security is an Information Security Training company providing advanced training and services to IT Professionals.

Tubitak

Tubitak

Tubitak is the scientific and technological research council of Turkey. Areas of research include information technology and security.

FinCom.co

FinCom.co

FinCom.Co is the world’s first automatic AML/ KYC screening system, for comprehensive compliance.

Cyber Command - Estonian Defence Forces

Cyber Command - Estonian Defence Forces

The main mission of the Cyber Command is to carry out operations in cyberspace in order to provide command support for Ministry of Defence’s area of responsibility.

Yogosha

Yogosha

Yogosha is a crowdsourced cybersecurity platform enabling a win-win collaboration with the most talented hackers to detect and fix vulnerabilities on your most critical systems.

Palitronica

Palitronica

Palitronica build cutting-edge hardware and breakthrough software that revolutionizes how we defend critical infrastructure and key resources.

SpeQtral

SpeQtral

SpeQtral offers commercial space-based Quantum Key Distribution (QKD) founded on technology developed at the National University of Singapore.

ExtraHop

ExtraHop

ExtraHop's dynamic cyber defense platform uses cloud-scale AI to help enterprises detect and respond to advanced threats - before they compromise your business.

Seedcamp

Seedcamp

Seedcamp identify and invest early in world-class founders attacking large and global markets through disruptive technology in areas including AI, cybersecurity, and Fintech.

Chorology

Chorology

Chorology is a leading provider of intelligently automated, data compliance and posture enforcement solutions.

XeneX

XeneX

XeneX Cloud Security Services address enterprise-class security challenges by enabling DevOps and Security teams to access a shared source of truth.

CyberNINES

CyberNINES

CyberNINES is a business specializing in helping US Department of Defense contractors become compliant and attest to federal cybersecurity regulation requirements.

Net Essence

Net Essence

Net Essence is a Managed IT Services Provider. We deliver effective, reliable and fit-for-purpose IT solutions for SMEs based in the UK.

NetSentries Technologies

NetSentries Technologies

NetSentries provide smart cybersecurity solutions and services to protect Governments, Enterprise and Individuals from threats through a comprehensive range of protocols, products and services.