Cybersecurity in the public sector: how to protect citizens’ data

Data from cibersecurity in the public sector confirm that 214.6 million euros were invested in 2022 to protect citizens’ interests. It reviews the most dangerous threats and the most appropriate measures to prevent cyber-attacks on state institutions.

The main cybersecurity threats in the public sector

According to the INCIBE on the state of cybersecurity in Spain, the most common security problems are three. The first is phishing or identity theft of the infected institution. The second is ransomware, a virus that demands a financial ransom to recover the hijacked information. And the third is malware aimed at theft of taxpayers’ personal information.

Another serious threat is the possibility of using the data for cyber espionage, illegal cryptomining or attacking the supply chain of the software used. The threats are completed by others such as:

• The data leak. It is estimated that data leakage is caused by the carelessness of officials with devices such as tablets, laptops or smartphones that facilitate the theft of information. Especially if they connect to the internet using a public wifi network.
• The lack of correction of the observed vulnerabilities. According to a survey by the consultancy Gartner, 56% of government agencies say that manual processes hamper their adaptability. 51% say that dealing with the correction of incidents in real time is an almost unbearable task due to the backlog of cases.

Both examples require specific measures to be taken to help minimise the risks and, above all, to avoid end-user impact; At the same time, each victim could sue the state at the expense of the public purse to pay compensation.

Cybersecurity measures to protect citizens’ data

One of the measures needed to improve cyber security in the public sector is to create effective frameworks for the whole country. In addition, it is important to develop a cyber security policy with stipulated guidelines. The goal is to create a framework that provides a more strategic and better adapted vision at the high level of the cyber security advocacy lifecycle. This makes it essential that:

• The organization understands the real risk of cyberattack and fraud. Regardless of its characteristics, the illegal collection of personal data can end up causing irreparable harm.
• The most recommended practices are applied to avoid the problem. Of course, prior training of officials is essential to speed up the process.
• The risk can be administer in a more recommendable way to improve the security of the services and infrastructures most sensitive to a possible attack.
• This measure is aligned with the National Cybersecurity Strategy, which envisages the creation of a National Cybersecurity Council as a consultative and advisory body to the Government in this area. The initial policy needs to be implemented with further research to facilitate the implementation of better strategies. Protecting yourself against potential threats, as well as real ones, is synonymous with success.
• Employees are made aware of the importance of cybersecurity. Most data breaches are caused by an oversight on the part of the official. Training on metadata and its removal and also on developments in the cyber security sector is extremely useful.
• Public events must have cyber insurance. A cyber insurance ‘is a policy that covers financial and legal damages resulting from a cyber attack, such as loss or theft of data, interruption of service or liability to third parties’. It is not always possible to fully mitigate the damage caused by an attack. It is therefore essential to take out a cyber insurance policy to protect users of websites that could be attacked.
• Prevention is the common denominator of all actions. The process starts with a daily backup and continues with software updates. At the same time, the vulnerability of the network has to be assessed and an appropriate response strategy has to be designed for each threat.

According to the report by the National Cryptologic Centre (CCN), 73,184 cyber incidents were recorded in Spain in 2020, 70% more than in 2019. In addition, there was an increase in the sophistication and diversification of techniques used by cybercriminals, such as ransomware, phishing and targeted attacks. The goal is to always stay one step ahead of cyber criminals in order to better protect yourself against their possible actions.

The government’s measures

Not all attacks focus on the theft of user data. There is also the possibility of an attack on the state structure. In the face of increasing cyber threats, the government has taken a number of measures to improve the security of its IT systems and raise awareness among its employees. These include the following:

• In November 2020, the government awarded NTT Data Spain a €6.75 million cybersecurity awareness and outreach project. The aim was to train and inform civil servants on cybersecurity risks and best practices.
• In December 2020, the government paid SCC EUR 4.6 million to purchase software from Microsoft. The aim was to improve the security of the Ministry of Defence, one of the most sensitive agencies exposed to possible attacks.

There is no doubt that hiring a external cybersecurity service is an excellent measure to better control any attacks. One only has to look at the official data to see the increase in attacks on the state. Some important facts are reviewed:

• The year 2022 was the worst year ever. There were 2,489 serious attacks, 21% more than in 2021.
• The average number of attacks was 207 cases per month.
• 37% of the attacks were through the use of malware. 12 % were caused by a vulnerability in the system; Both phishing and social engineering accounted for another 12% of cases respectively.
• 12% of the attacks occurred against health institutions.
• 8% occurred against educational institutions.

Data on possible attacks on the Ministry of Defence or the Prime Minister’s office itself are no exception. In 2022, criminals managed to alter the content of the Defence Staff page. It was all an anecdote, but the case was a reinforcement of security policies that is bearing fruit.

Thus, cyber security in the public sector is as essential as in the private sector. Not surprisingly, in March 2023 there were two attacks on the Tax Agency using the phishing. The same happens with the Post Office and with the Social Security at a frequency that is becoming unbearable. Only effective action will result in the full protection of institutions and the security of taxpayers.