Five Cybersecurity Insights for the Public Sector

A new global study conducted by Ponemon Institute explores cyber risk in the public sector: What are the top priorities for public sector cybersecurity leaders in 2019? Why has preventing attacks on OT become a major concern?

Cybersecurity in Public Sector: Five Insights You Need to Know presents the results of a Ponemon Institute study, sponsored by Tenable, which queried 244 public sector professionals on four continents regarding their current cybersecurity operations. The respondents represented a proportional mix of leadership, management and operations roles in both IT and information security. The breadth of respondents is important because the results, therefore, reflect the opinions of those who create cyber strategy, those who implement it and those who face the day-to-day realities of this complex subject.

In this blog post, I’ll summarize the key findings from the study as well as offer my own insights to help explain what is driving the respondents’ opinions.

Cybersecurity in public sector: five insights you need to know

The five insights presented in the study and the order in which they appear are equally important for understanding the current posture of public sector cybersecurity. The first insight from the study is that public sector cyber-related attacks are ceaseless. In fact, 88% of public sector organizations have suffered at least one damaging cyberattack over the past two years; 62% have experienced two or more.Cyberattacks in the public sector have been rampant for many years prior to 2019 and will remain true well into the future.

However, the second insight – that attacks on IoT and OT assets are now a top priority – is an emerging concern that directly impacts the remaining three insights. IoT and OT assets create a larger number of potential vulnerabilities, requiring both enhanced visibility (third insight) into an expanded attack surface and staff who know how to cover these new assets.

Furthermore, the expanded attack surface alters the relationship between cyber risk and business risk (fourth insight) by adding the catastrophic effects of a loss of critical IoT or OT services to the mix. This would be similar to planning for a hurricane or other natural disaster, but without the “natural” part.

Finally, the number of incremental vulnerabilities inherent in an expanded attack surface demand better prioritization of those vulnerabilities (fifth insight) for remediation to stay one step ahead of the bad guys.

It’s time to pay more attention to the entire attack surface, including IoT and OT

Here are my insights that provide additional context for the study’s findings:

• The easy stuff is done already. Public sector cyber professionals have done an excellent job promoting basic cyber hygiene among public sector employees. As a result, phishing attacks have been dramatically reduced in the public sector. This means that more attention can now be given to complex threat vectors that target IoT and OT.
• Digital transformation has expanded the attack surface. The swift pace of digital transformation in the public sector has created a swift expansion of the digital attack surface, with more IoT and OT devices being used to improve community services. “Smart city” and “smart state” initiatives have increased demand for new mobile applications and interconnected devices, all of which is increasing the number of threats confronting public sector IT and infosec professionals.
• Converged IT/OT environments. Public sector IT and cybersecurity leaders are increasingly being asked to manage a converged IT/OT environment, requiring them to adopt methods and tools that help to identify, prioritize and remediate vulnerabilities more efficiently.
• Cyber is cool. Today’s youth have had “eyes on glass” since before they could walk. High schools teach information security courses. Universities now grant degrees in information security. The military has created scads of new cyberwarrior roles. All this means cyber is now officially cool. Unfortunately for public sector IT and security professionals, this means recruiting and retention have become infinitely harder.

For a closer look at the study, download Cybersecurity in Public Sector: Five Insights You Need to Know now.