Government institutions are failing to practice what they preach when it comes to cyber security, with cyber criminals hacking into seemingly harmless areas of government networks. As a result, criminals are gaining access to entire databases.
In 2010, British home secretary Theresa May described cyber crime as a “new and growing” danger and committed £500m to tackling it. The Government’s published National Security Strategy, categorised it as a tier-one threat, putting it on a par with international terrorism and major accidents.
Both the Stuxnet computer virus, which was created to sabotage Iran’s nuclear programme, and the more recent Duqu virus, which allows users to install programs; view, change, or delete data with full user rights, emphasised the threat to government networks from malicious attacks. As a result, governments are seeking ways to protect their networks. Despite efforts being made, I believe not enough is being done.
By acknowledging the threat posed by cyber criminals, the British Government is helping to raise awareness of IT security. Get Safe Online Week, which is taking place this week, is an annual event to raise awareness of internet safety issues. Despite this, the Government needs to be actively practicing what it preaches and managing its own security effectively.
The security landscape is made up of a variety of different criminals with different goals. Hacktivists are anonymous groups who are intent on making a statement. Cyber terrorists want to weaken the power of a country in any possible way, and there are those intent on stealing any information, with the sole aiming of making money.
Government institutions are aware of this, and are doing well to promote the threat these criminals carry, however, are they listening to their own message?
Despite governments having strategies in place to safeguard their network, with standardised procedures and controls in place, almost all governmental institutions are left alone to solve their own security issues. In order to combat this, I believe simple measures can be put in place.
Most attacks are done via poorly secured web applications, and as a result there are massive pressures to seen to be exhibiting best practice. It’s not good enough for governmental institutions to be simply left to their own devices when it comes to ensuring network security.
Like everyone else, they require guidance when it comes to managing and protecting their network. Audits can identify where lapses lie and offer guidelines for continual improvement, and standardised practices can be assigned with no department left to fend for themselves.
Also, a much better understanding of cyber security threats will lead to a greater allocation of budgeted funds. It’s not a case of being reactive and throwing money at the problem; it’s a collective understanding of what that money is used for.