David Ferbrache, KPMG in the UK

Around the world, the digitization of government is gathering pace, with a host of interactions now carried out online. In some countries, you can vote, pay bills and taxes, and get medical prescriptions – often using a single, digital citizen ID that’s stored centrally.

This hasn’t escaped the attention of criminals that once focused primarily on retail banking and e-commerce. We’re seeing a rise in fraudulent personal and corporate tax and VAT returns and associated rebates, along with bogus welfare claims. 

Data is leaking from both public and private sector organizations, either due to malicious hacking or rogue employees. Globally over 700 million personal data records were compromised in 2015, with the largest single breach exceeding information on 70 million individuals.¹

Cyber criminals are also getting better at ‘social engineering,’ in the form of subtle emails or phone calls from apparently legitimate sources such as banks, financial advisers or even lawyers. In some cases these emails are even sent from the IT systems of those trusted advisers once the cyber criminal has broken into their email system – the so called business email compromise fraud.

These emails either coerce you to release critical information or act as ‘Trojan Horses’ harboring malicious software which will hack into your bank account. And don’t forget, people also post a lot of personal details voluntarily on social media.

Company tax codes, social security numbers, dates of birth and other lifestyle data is then traded within the criminal community, with a complete “Fullz” personal profile often trading for as little as $60.

Governments are embracing cloud to different degrees, using a combination of public and private cloud models. This makes the IT supply chain more complex, by introducing a range of suppliers, any of whom could be susceptible to hacking or employee theft. 

A positive way to counter this threat is to risk-assess these companies’ cyber security (and privacy) capabilities during procurement. It is also worth keeping a weather eye on the shadow IT – where you may find your organization is already signed up to cloud services without any form of central review.

Next comes the need to continually monitor your cloud suppliers, carrying out audits to ensure ongoing compliance. In an increasing number of cases suppliers recognize this requirement and will offer a range of independently assured security certifications giving customers confidence in their ability. Governments may of course implement their own secure private cloud solutions, offering the ability to impose stricter standards and separation, albeit at increased cost and loss of economy of scale.

The ‘bring your own device’ (BYOD) phenomenon impacts all organizations. Government and supplier employees are more frequently using their own smartphones, tablets and laptops for work. 

Management should ideally establish an organization-wide BYOD policy, as well as taking steps to bring mobile devices under management and ensure that sensitive data can only be accessed and processed by secure applications over secure encrypted channels.

All employees should be familiar with the acceptable use rules for BYOD on corporate networks, and these rules should also make clear the rights of management to delete data from personal devices in the event of theft or the owner leaving the organization.

That’s a really interesting question. Shared services, outsourcing and cloud are shifting provision outside of government, and one big challenge is to retain a core of in-house security expertise which ensures government remains an intelligent customer of such services, as well as having ready access to key skills. After all, people skilled in incident management, analytics, detection, monitoring and response services are scarce and in high demand. Many public sector agencies are living with financial constraints, and need to find creative ways to attract and develop cyber security professionals.

On the plus side, outsourcing could actually improve security, as cloud service providers tend to have relatively advanced cyber security, when compared to the legacy systems and outdated software which can be prevalent in many government IT infrastructures.

In my companion blog Five ways for governments to tighten up cyber security, I discuss how governments can offer more secure, digital services to their citizens. This is as much about cultural change as it is about technological solutions, to make employees and suppliers more security-conscious. Certain industries, like Financial Services and Oil & Gas, have been very innovative in this area, so the blog looks at ways to transfer best practice, be more nimble and partner with the private sector, to access the best ideas and people.

Read Five ways for governments to tighten up cyber security

David Ferbrache, OBE was previously Head of Cyber & Space at the UK Ministry of Defence, and has more than 25 years’ experience in technology risk and information security. He can be emailed at:
david.ferbrache@kpmg.co.uk.