Tackling Cyber Threats In The Public Sector

Last year, the Labour government entered into power during a period of increasingly sophisticated cyber threats - many leveraging AI - across the UK. These cyber attacks, ranging from ransomware attacks to phishing, have been launched against several industries - but a growing number have targeted the public sector.

In July 2024, the UK’s data privacy watchdog reported that the personal details of millions of UK voters were left "vulnerable to hackers" because passwords were not changed and software was not updated. Alarmingly, this gave attackers access to the Electoral Commission's systems for over a year before the vulnerability was fixed.

To combat the growing cyber threats targeting public infrastructure, and to boost public sector cyber resilience, the UK government has introduced new cybersecurity regulations. These enforce consumer protections against hacking and cyber attacks, and mandate that internet-connected smart devices meet minimum-security standards by law.

However, the government will need to take further steps to achieve complete cyber resilience and to enhance the nation’s defences against attacks.

A recent Yubico survey looking at global authentication trends revealed that 70 percent of respondents had been exposed to cyber attacks in their personal lives in the past 12 months. What’s more, nine in ten cyber attacks begin with phishing according to recent research by Deloitte. Clearly, greater cybersecurity measures and increased focus on user education are critical to prevent successful attacks through phishing, and there is no better time for the British government to implement stricter cybersecurity measures than right now. In order to do so, the government must ensure all public sector organisations develop cyber resilience and have the necessary tools in place to protect themselves against cyber threats.

Moving On From Insecure Legacy Authentication To Modern MFA

Despite the dangers, many organisations still rely on outdated authentication methods like passwords to protect themselves and their data. In fact, Yubico’s survey found that 39 percent of employees believe that simply using a username and password is the most secure way to protect accounts and information - despite being an inherently insecure and outdated form of protection.

While employing multi-factor authentication (MFA) is more secure than relying solely on passwords, some MFA methods are much more effective than others. For instance, legacy MFA methods like one-time passwords (OTPs), which cyber criminals can intercept, will always be susceptible to sophisticated phishing attacks. Furthermore, artificial intelligence (AI) can easily replicate authentication methods which utilise facial or voice recognition – exacerbating the threat to users and enterprises.

To significantly boost public sector security, users and organisations should employ modern MFA tools like passkeys, including hardware security keys.

These phishing-resistant solutions work by authenticating users using cryptographic security keys stored on their computer or device, offering the highest level of security for managing logins across platforms and devices. Security keys are also phishing resistant, and remote attackers cannot intercept or steal them, meaning only the key holder can access their accounts.

Additionally, cyber criminals cannot copy the passkeys stored on hardware devices, and authentication is only possible on verified sites or apps, meaning account credentials are not issued to hostile websites, even if the user is deceived. By using passkeys to protect the accounts of public sector professionals, users and organisations can ensure their data is kept safe even in the event of an individual being tricked by a phishing attack.

It’s Time For  A Phishing-Resistant Future

Nevertheless, to ensure the highest level of security and decrease the likelihood of phishing attacks succeeding, public sector organisations must implement measures beyond merely investing in phishing-resistant authentication: they must focus on developing phishing-resistant users. With well over half of data breaches succeeding due to a human element, such as falling victim to a social engineering attack or a lapse in judgement, developing phishing-resistant users is more important than ever.

Given that users frequently switch between platforms and devices, conventional authentication techniques are fundamentally phishable. In cases when a new employee is being onboarded or when a device is lost or stolen, organisations tend to temporarily default to phishable user registration, creating opportunities for a phishing attack to take place when these vulnerabilities are exploited. Ensuring phishing resistance in the processes of registration, authentication and recovery is essential for developing phishing-resistant users.

To truly eliminate the risk of phishing, organisations must equip employees with phishing-resistant MFA and consider using hardware security keys as their primary method of authentication. Public sector organisations should also adopt technology-driven solutions that reduce dependence on user training, while offering vital education regarding the fundamental principles and advantages of phishing-resistant MFA and sound cyber hygiene practices.

While the UK government has taken steps to develop greater cyber resilience across the public sector, there is still more to be done to ensure that organisations’ and individuals’ sensitive data remain protected. This starts with promoting a phishing-resistant culture, of which passkeys are the basis.

Niall McConachie is Regional Director (UK & Ireland) at Yubico

Image: Ideogram

You Might Also Read:

Mobile Authentication: The Good, The Bad & The Ugly:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« President Biden’s Final Cyber Security Executive Order  
Salt Typhoon - The Chinese Telecom Hack »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Aqua Security Software

Aqua Security Software

Aqua Security helps enterprises secure their cloud native applications from development to production, whether they run using containers, serverless, or virtual machines.

Nuvias Group

Nuvias Group

Nuvias Group is a specialist value-addedd IT distribution company offering a service-led and solution-rich proposition ready for the new world of technology supply.

Lynxspring

Lynxspring

Lynxspring provides edge-to-enterprise solutions and IoT technology for intelligent buildings, energy management, equipment control and specialty machine-to-machine applications.

PRODAFT

PRODAFT

PRODAFT, Proactive Defense Against Future Threats, is a cyber security and cyber intelligence company providing solutions to commercial customers and government institutions.

Altron

Altron

Altron provides locally relevant innovative and integrated ICT solutions to business, government and consumers.

National Cyber Security Agency (NACSA) - Malaysia

National Cyber Security Agency (NACSA) - Malaysia

NACSA is the leading government agency in Malaysia responsible for the development and implementation of national cyber security management policie and strategies.

Nakivo

Nakivo

NAKIVO is dedicated to delivering the ultimate backup, ransomware protection and disaster recovery solution for virtual, physical, cloud and SaaS environments.

Sponge

Sponge

Sponge is a world-renowned digital learning provider on a mission to make learning unforgettable.

Cypherix

Cypherix

Cypherix is tightly focused on cryptography and data security. We leverage our expertise to deliver state-of-the-art, world-class encryption software packages.

Datacentrix

Datacentrix

Datacentrix provides end-to-end cybersecurity services for the operational technology (OT) and IT environments to monitor, assess and defend our customers' information assets.

CyberNet Albania

CyberNet Albania

Cybernet Albania has been providing IT support and services to small businesses since 2016. We strive to eliminate your IT issues before they cause downtime and impact your operations.

AnaVation

AnaVation

AnaVation is a trusted partner delivering high-value, cost-effective solutions that solve the most complex technical and analytical problems for our customers.

Cyber Insurance Academy

Cyber Insurance Academy

Cyber Insurance Academy was founded to provide insurance professionals with the knowledge needed to work in cyber-insurance and cyber-related insurance fields.

CyberQP

CyberQP

CyberQP (formerly Quickpass Cybersecurity) provide Privileged Access Management built for MSPs. Our system is designed to reduce ransomware and social engineering attack risks.

People Driven Technology

People Driven Technology

People Driven Technology is a customer-obsessed organization. We leverage our decades of business, technology, and engineering experience to deliver outcomes for our clients.

Sage IT

Sage IT

Sage IT offer a wide range of professional and consulting services to help organizations overcome the challenges of today's ever-changing business environment.