How to combat rising threats to public sector data security
10 MINS READ
The biggest questions need the boldest answers. That’s why we’re using our global scale, technology expertise, and collaborative spirit to move toward a better today and a brighter tomorrow together.
The public sector generates and holds enormous amounts of data. It is critical to the government’s functionality and creates significant challenges and opportunities. The Australian government has increasingly invested in data analytics to improve the capabilities and opportunities to leverage this data in recent years. The global pandemic accelerated this adoption while creating new challenges the sector must overcome, such as data protection.
How has the role of data management changed in Australia?
The role of data management has primarily changed due to the shift toward remote and hybrid working policies. Organisations across the globe have adapted to enable employees to work outside the office via remote access or take company-owned laptops and similar devices home. However, for many government agencies with data classified as critical, employees of some functions have had to remain in office, creating an unusual hybrid model.
The Australian government has always managed and classified data across several categories such as unclassified, official, protected, secret, and top secret. Having these controls in place across most government networks meant they were pre-enabled to allow people to work from home and access the necessary data according to their clearance. Having trust models such as this means that staff can only access data according to the classification of their security status, as they would from an office location.
While the data access part was already taken care of, with the majority of people working remotely, it was the fear of malware, phishing, and spear-phishing attacks that kept government organisations on their toes and made it essential for the employees/end users to be more vigilant in ensuring that the security of their end device is still protected, as if it was in the office.
For better or worse, there is no way back to how it was before. They must find alternative ways to keep data and devices secure and protected.
How is data being protected securely and efficiently?
The Australian Federal Government departments have been classifying data across the four categories outlined above for many years. Data is always protected, either according to the job role or access. Typically, you can only view the data you are classified to see. At the highest classification levels, data and information become compartmentalised. Individuals can only see the information required for a specific job role. Government organisations have typically engaged in back-up routines to protect against data loss through hardware failures and internal threat actors.
The Australian Cyber Security Centre (ACSC) recommends the ‘Essential Eight’, a minimum-security standard that outlines essential processes to protect and prevent data and devices, such as ensuring that when a user leaves an organisation, their rights get instantly revoked. It also recommends the level of patching and cyber security that is required to be implemented by Australian government agencies. These recommendations have helped ensure consistency across the board and supported organisations in developing a level of maturity. Additionally, the Australian National Audit Office can audit organisations’ compliance against the ‘Essential Eight’ annually.
So, even if all the required recommendations and controls are in place, how well they are implemented decides how secure and efficient the data is in any organisation.
The growth of existing and emerging technologies is both a help and a hindrance to data management. What are the top things to watch out for the C-suite?
One of the key things to watch out for the C-Suite would be the emergence of threat actors. While we have technology that enables us to protect our infrastructure and environments better, threat actors are constantly working on better ways to access or damage data. Therefore, it is critical to be aware of the latest cyber security requirements and ready to leverage the latest technologies that will provide an organisation with the highest levels of protection.
As organisations adopt cloud to become more agile and responsive, the proliferation of cloud providers offers great diversity to an organisation but also creates a hindrance around determining which is the best solution and which will best protect the data. The Infosec Registered Assessors Program (IRAP) recommendations and certifications, provided by the ACSC, enable each organisation and provider to undergo an assessment that evaluates more than 1,000 security recommendation controls to ensure that data is kept safe. Numerous cloud providers have received IRAP certification, which gives an organisation a level of comfort, reassurance, and risk tolerance when selecting a cloud solution or provider. The emergence of cloud technology has created another watch out for data duplication. However, these impacts can be minimised with a well-developed and well thought out cloud migration strategy.
What are the top questions being asked of the C-suite around data management?
One of the most pressing questions is how an organisation can protect against ransomware, data loss, and the subsequent potential financial impact. While data management can cover many security areas, this issue is a real threat because some ransomware can encrypt back-ups, preventing and negating the ability to recover.
What are the main challenges associated with the future of work for the C-suite of today?
Accepting the risk to enable workers to work from any device at any location is one of the critical challenges for the C-suite of today. The bring-your-own-device idea has been discussed for years, but government agencies baulk at the thought because of the necessary security requirements needed for classifications outlined above. Many remote solutions do not allow confidential data to be transmitted over the internet, meaning that implementing solutions such as zero-trust networking in place will enable an organisation to offer its end users an option to avoid utilising technologies such as virtual private networks for connecting back to the central organisation. It enables the end user to connect to a system from anywhere in the world, while providing encryption that protects data in transit from being visible to threat actors.
However, the risk models in government will need to change to enable higher classification levels to adopt these technologies. It is a question of risk and whether individual organisations are willing to adopt it, update their technologies, and embrace new ways of working.
Finally, running virtual workloads and workstations in the cloud is an option. It means that the end user is working on a pane of glass, and the data can be protected, so it cannot leak out from the glass. However, there is always a risk associated with accessing – or having external access to – the internet, as this presents another attack vector for threat actors.