Under cyber attack!

Ask the thousands of residents of Oklahoma State who discovered their social security numbers had been freely available on the web for three years, thanks to a leak at the Oklahoma Department of Corrections website. Effective and efficient controls must be put in place, both to ensure public confidence as well as to minimize the risks to our personal privacy, our financial systems, and even our national defence. Many of these newer data security processes are already common to top global banks, insurers, telecommunication companies and retailers – and of course, most public sector managers understand the risks of inadequately protecting critical data, and want to do the right thing. However, the public sector must cope with additional constraints such as tighter budgeting and an inherent duty to be open, transparent and accountable – and therefore to put more information online rather than less. The challenge is to balance a necessary degree of openness with a heightened level of security and privacy. The NHS was responsible for more serious data breaches (287) than any other UK organisation since 2007 A good example of this heightened risk can be witnessed across the NHS, which is under constant pressure to increase efficiencies by placing more patients' medical information online. It's understandable if the UK public isn't entirely happy with this trend, as the Information Commissioner's Office (ICO) recently revealed that the NHS was responsible for more serious data breaches (287) than any other UK organisation since 2007. Key to reducing this risk is updating both the technology and the mindset inside public sector organisations. A lack of awareness is causing IT managers to rely solely upon traditional technologies such as network firewalls and anti-virus tools without realising that cybercriminals and rogue insiders are using entirely new techniques that can easily bypass such perimeter defences. It's also vital to distinguish between security breaches caused by accidental data loss and that caused by malicious attacks. The personal data of those citizens of Oklahoma wasn't exposed as a result of a careless civil servant leaving a USB key or laptop in a bar – it happened because of poor coding on the state's public-facing website and a lack of enterprise controls coupled with an ignorance of the risks from organised cyber-criminals who use automated tools (such as Google) to easily find such vulnerabilities, anywhere in the world. Of course, common-sense controls such as encrypting all removable media with sensitive data should be mandated, but such losses are rarely linked to tangible damages. In contrast, the threat of targeted attacks against high-value databases has already cost the private sector billions. A similar loss of public data would directly affect the lives of millions of citizens, with a thriving black market already hungry for sensitive personal information and foreign governments constantly enhancing their cyber-espionage programs. If an investment broker in Montana, can be breached by a remote gang of Latvian cybercriminals who stole nearly 200,000 consumer records from the broker's web server, similar gangs can breach softer targets in the UK public sector. Like most compromised organisations, the firm hadn't even detected its breach until after it was emailed for extortion. Similarly, the World Bank took an entire year to discover that it had suffered six major cyber-assaults on up to 40 servers in 2008, including the theft of passwords for its strategic SAP database systems. To intruders, this clearing-house for financial data from both governments and businesses proved an irresistible silo of exploitable financial and personal data, including information on project bid awards, private meeting minutes and crucially, the central bank's market-influencing positions on currency, stocks and bonds. Simply put, it's no longer acceptable for public sector security professionals to protect their perimeters like some high-tech Maginot Line and simply hope cyber attacks won't happen. In reality, the chances are they will happen in time – and simply passing your IT compliance audits with 'ticks in boxes' does not necessarily mean you're secure (as many breached organisations have found, much to their dismay). New non-disruptive technologies, such as real-time database activity monitoring and application-layer monitoring, can dramatically increase security and privacy today without disrupting existing processes or the need for increased government transparency and accountability. Philippe Neray is vice president of Security Strategy for data security specialist Guardium, an IBM company