Cloud reluctance creates data risks for government
Government agencies are facing increasing risks from cyber attacks, but a reluctance to adopt cloud solutions could be driving their vulnerability to human error, state-based actors and sophisticated threats.
The Australian Government is now one of the top five industry sectors for data breach notifications, according to the latest Notifiable Data Breaches (NDB) report from the Office of the Australian Information Commissioner.
Government agencies reported 33 notifications in the six months to December 2020 and this follows an Australian Securities and Investments Commission breach through a vulnerability in a legacy software application.
Government agencies typically prefer to ring-fence their data with legacy solutions that are verified, stable and have stood the test of time. While this may be necessary to ensure data sovereignty, the risks of using locally managed software over cloud software can no longer be ignored.
Legacy software was developed before modern cyber threats existed and relies on complex security tools that focus on defending rather than enabling. As the threat landscape continues to evolve, these legacy systems become more vulnerable, paving the way for more data breaches. A network of disparate systems is unguarded to attacks that can exploit the gaps. Using a firewall may protect the infrastructure, but if data is not secured, it can still be compromised.
End-to-end encryption (E2EE) is the only way to withstand cyber attacks of any magnitude. E2EE protects sensitive data by keeping the key to the data with its owners, not within its own system. Attempts to breach systems will continue, but combining E2EE with modern tools that grant more visibility and control results in true data protection, control and ownership, even in the cloud. These ‘true’ solutions prevent massive leaks by rendering encrypted data useless to attackers.
The latest NDB report also reveals human error as the public sector’s biggest cyber issue, which hasn’t been helped by the uptake in remote work. This trend drove an 18% proportional increase in human error across all industries and is likely to continue with the surging shift to telework.
State-based actors are also responsible for cyber attacks on government agencies and have enormous resources to discover and exploit vulnerabilities in software. These same actors use social engineering and bribery of corrupt employees as other attack vectors, putting huge pressure on public sector employees, who have only been armed with education and training to combat these threats.
Bad actors and the threats they pose continue to get smarter, and education and training will only go so far in protecting sovereign data. Relying on staff to recognise sophisticated attacks through social engineering and trying to reinforce legacy systems are not viable solutions.
Rather than put the onus of cyber awareness on staff, government agencies should be making it an inherent part of their organisational security with safe-by-design concepts. Attacks by state-based actors can’t be prevented, but what the right provider can do is stop them from accessing data, if and when they infiltrate the network.
Government agencies face a large-scale change management project to mitigate the long-term risks of locally managed software and the impact of human error in highly protected environments. It starts with accepting the need to shift to the cloud and having a provider that understands how to properly protect data with end-to-end encryption.
Legal experts convened virtually last week to hold the 2021 US Cyber Command Legal Conference.
A consistent, high standard of personal information handling practices is needed to meet...
South Australia's Auditor General has uncovered a range of deficiencies in the IT security of...