In creating a safe, digital environment for citizens and companies, government can embrace leading practices from the private sector, and encourage employees to be more cyber-aware.
David Ferbrache, KPMG in the UK
In many countries, citizens and businesses are using online government services to fill out tax returns, and apply for housing or other welfare benefits. Each year, more and more services are going digital, from vehicle registrations to healthcare.
But what if a criminal or a malicious hacker manages to get hold of personal or company details?
The move to digital services is opening up opportunities for organized gangs to acquire personal and corporate identities, and use this information to steal from the public purse. Any interaction that involves a transfer of money will be on criminals’ radar, like tax, VAT/GST and benefits.
This is a serious and growing threat, so in this blog I outline five recommendations for tightening up government’s digital defenses:
Digital security isn’t just something you can leave to the IT specialists. It affects everyone working in government. In the best examples from the private sector, leaders champion education and awareness of cyber security, and present the risks in real-life terms, so that everyone understands what’s at stake and how it affects their daily jobs.
Take the oil and gas industry, where personal safety has long been paramount. Companies in this sector have tried to make cyber security an equally central part of their culture – alongside safety, and not just a ‘compliance’ issue. Employees are encouraged to think about what kinds of assets are at risk, and how they can prevent attacks and spot threats.
Governments need to adopt a similar mindset and make cyber security part of ‘the way we do things around here.’
Today’s governments are often heavily dependent upon a wide and complex web of service providers and contractors. With so many parties processing confidential information, the chances for leaks or theft are much higher. The best way to counter this challenge is by tightening up procurement. Contracts should embed cyber security. Ideally suppliers should all be certified to an industry standard. Regular monitoring and independent audits can reassure government that standards are being maintained, to avoid weak links in the chain. Most importantly, make sure contracts drive the right behaviors when responding to a cyber security incident ensuring openness, transparency and a willingness to work together when the worst happens.
If governments want to realize the savings and efficiencies from going digital, they need to constantly keep one step ahead of criminals. Gangs are clever and fast; as soon as one route gets blocked they work to find another. Governments have to be even more nimble, to come up with innovative and cost-effective ways to block cyber crime and frustrate the efforts of criminals to cash-out and monetize stolen information. New technologies such as biometrics, analytics and virtualization can play a part – but so can education and awareness.
Unfortunately, many public sector digital crime prevention projects become large, expensive undertakings that don’t always deliver.
It’s definitely worth looking at how the private sector approaches this challenge. Financial services companies, especially banks, often create smaller, less costly ‘incubator’ teams with the freedom to try out offbeat, innovative ideas. They’re accustomed to the digital threat and have a good record of pioneering anti-fraud measures.
Banks also adopt a philosophy known as ‘fast to fail,’ which halts unsuccessful projects quickly, before they consume too much money. By following this example, governments could become more agile, and develop systems that spot threats early and prevent breaches.
Given the success of other industries in combatting cyber crime, government should consider harnessing some of this expertise and experience. Collaboration can bring in fresh, external thinking as well as providing challenge, benchmarking and peer comparisons. We bring our clients together to provide safe spaces for discussion, swapping war stories, and finding inspiration in each other’s experience. The global I-4 conference programme is just one example of our work in this area.
Being prepared to share intelligence on actual and potential attacks also matters. After all, the kind of information floating around the criminal fraternity is often stolen from, and used against a combination of public and private organizations, so it’s in everybody’s interests to work together.
Cyber crime is a growing phenomenon, and people with the skills to combat this threat are in high demand. Today’s governments can’t compete with private sector salaries, so it’s hard to keep hold of the best talent. Workforce planning should assume that specialists may only stay for a few years, and look to create a production line of new, young talent to succeed them.
In future, governments should widen their collaboration with private companies to include talent sharing. Cyber security specialists could rotate roles between the public and private sectors, as part of their natural career development. It wouldn’t just help government; it would also give these individuals a higher personal profile.
When it comes to physical security, we’re all alert to suspicious activity. In future, government employees should all see themselves as on the front line of identifying and responding to cyber crime.
David Ferbrache, OBE was previously Head of Cyber & Space at the UK Ministry of Defence, and has more than 25 years’ experience in technology risk and information security. He can be emailed at: