How to manage information and cyber risks in the public sector

The public sector operates in an environment driven by data. From education and healthcare to utilities and housing, data is now as integral to the success of public services as the teams and physical infrastructures through which they are deployed. 

With the increase in the volume and complexity of data, however, has come an increased risk of its loss, theft, or misuse through malicious attacks or mismanagement, many of which threaten citizens’ privacy and security and cause serious disruption to essential services. 

Recent high-profile data breaches have brought these security concerns into the spotlight, many of which were based on outdated legacy IT platforms. 

The adoption of cloud-based IT systems, though not universal, is helping to reduce this risk through robust security safeguards and sophisticated end-to-end data encryption. However, the transition from on-premise or hybrid server data management to remote cloud systems poses its own security challenges.

First, around establishing best practices among staff for the management of data that may be shared with other people and organizations due to the rise in the use of collaboration tools. 

Second, because of the growth of ‘shadow IT’ - productivity applications downloaded by staff and used on both personal and work devices, often without the knowledge and authorization of IT managers, which can create opportunities for hackers to bypass system security and access sensitive data. 

In both cases, the challenge can be met with coordinated staff training and education to make sure everyone in the organization - not just IT teams - understands the risks and commits to the highest standard of Information Security Management Systems (ISMS). 

Public services have an obligation to embrace the government’s digital transformation agenda to make the most of the efficiencies modern cloud-based computing brings, however, the pace of this uptake must never be at the expense of security for users, organizations, and above all, citizens. 

To read about how to achieve integrity in public sector organizations, click here. 

Cyber Threats to Public Sector Organizations 

The sheer volume of sensitive information now held and shared across networks means organizations of every kind are targets for cybercriminals wishing to disrupt critical services or profit from the monetary value of data on the dark web. Increasingly, cyber-attacks are being mounted not just by individual malicious actors, but by nation-states via proxy servers that make it even more difficult to trace and attribute blame.

Cyber-attacks fall into three main categories:

Distributed Denial of Service (DDoS) - DDoS attacks are launched by large linked networks of computers that are used, without their owners’ knowledge, to swamp websites and other networks with connection requests to a point where their capacity to operate is overwhelmed. Those behind such attacks will often demand ransom payments to withdraw them.

Ransomware - Ransomware is a harmful virus that infiltrates network systems, often via unscreened email or software downloads, and paralyzes part or all of the network functions.

Massive data breaches - Data breaches can be malicious - when criminals hack network systems' security to steal sensitive information - or accidental when information is leaked, lost, or inadvertently placed in the public domain.

Information Security Standards in the Public Sector

With today’s citizens expecting fast, easy, personalized digital experiences, public organizations need platforms and systems capable of adapting to those demands and helping prevent cyberattacks. The increase of hackers, human errors, data breaches, Bring-Your-Own-Device (BYOD) policies and the necessity to share and protect companies’ information is empowering public organizations to consider digital transformation strategies.

Evolving technologies and emerging threats continue to play a part in risk management. It is imperative that as data and applications move to the cloud and remote working is more freely facilitated that the data owners in conjunction with their technology leadership teams are aware of their regulatory requirements and identify the appropriate training and technical processes.

Using information security standards can offer a set of powerful business and marketing tools for organizations of all sizes. You can use them to fine-tune your performance and manage the cybersecurity risks you face while operating in more efficient and sustainable ways. They’ll allow you to demonstrate the quality of your information security to your customers, and they help you to see how to embed data protection best practices into your organization.

• BS EN ISO/IEC 27001 Information security management system (ISMS) - is an excellent framework that helps organizations manage and protect their information assets so that they remain safe and secure. It helps you to continually review and refine the way you do this, not only for today but also for the future. That’s how BS EN ISO/IEC 27001 protects your business, and your reputation and adds value.

• BS EN ISO/IEC 27701 Privacy information management - provides guidance on the protection of privacy, including how organizations should manage personal information, and assists in demonstrating compliance with privacy regulations around the world. Click here for more information about BS EN ISO/IEC 27701.

• BS EN ISO/IEC 27002 Security controls - provides guidelines to help organizations select, implement and manage information security controls, taking into account their risk environment. By implementing and maintaining suitable controls, organizations become less susceptible to information security breaches and the financial and reputational damage they cause. Click here for more information about BS EN ISO/IEC 27002.

• BS EN ISO/IEC 27017 Security controls for cloud services - BS EN ISO/IEC 27017 provides enhanced controls for cloud service providers and cloud service customers. Unlike many other technology-related standards, BS EN ISO/IEC 27017 clarifies both parties’ roles and responsibilities to help make cloud services as safe and secure as the rest of the data included in a certified information management system.

• BS 10012 Personal information management system - provides a best practice framework for a personal information management system that is aligned to the principles of the EU GDPR. It outlines the core requirements organizations need to consider when collecting, storing, processing, retaining, or disposing of personal records related to individuals. Learn more about BS 10012.

To prepare your public service business for facing cybersecurity challenges, add our cybersecurity standards to your collection today.

Discover BSI Knowledge

In the face of growing cybersecurity threats, all businesses in the public sector need to strengthen their information security. However, knowing which standards can help you and how to share their guidance within your organization can seem like a huge challenge.

With a BSI Knowledge subscription, you will have the flexibility and visibility to manage the key standards you need in order to enhance your cybersecurity processes with confidence. Build your own custom collection of standards, or opt for access to one of our pre-built modules, such as GBM24 Information Technology - Software & Networking, and keep up-to-date with any relevant changes to your standards strategy. Request to learn more.