The cyber-attack on the Irish Health Service Executive (HSE) in 2021 brought cybersecurity into sharp focus, particularly for public service bodies (PSBs). If the likelihood of cyber incidents of this nature and impact seemed remote to many within the public sector prior to this attack, they were now fully aware of their vulnerability. The introduction of the Public Sector Cyber Security Baseline Standards could not have come at a better time for Irish PSBs, many of whom are in the process of reviewing their cybersecurity programmes in the wake of the HSE cyber-attack. These Standards, published by the Department for Energy, Climate and Communications, have been developed by the National Cyber Security Centre (NCSC) and compliance with the standards is mandatory across all PSBs. This article will provide organisations who have not yet begun to prepare for the Standards with some tips on how to approach implementation.
Overview of the Public Sector Cyber Security Baseline Standards
The development of the Cyber Security Baseline Standards was a commitment set out in the National Cyber Security Strategy. As already mentioned, the implementation of the Standards is mandatory and is being phased in across all levels of PSBs. The Standards themselves have been developed by a cross government and agency steering group and are closely aligned to the NIST Cyber Security Framework.
The baseline standards set out a framework to guide organisations through cyber risk management, covering 5 themes.
- Identify – this theme is about identifying risks and vulnerabilities in the organisation in the context of the environment it operates in. It’s about identifying the organisation’s assets, alongside the policies, procedures and governance structures in place to protect them.
- Protect – this theme is about ensuring there are proportionate and adequate protections in place over the ICT environment.
- Detect – this part of the framework requires the implementation of detection activities to identify cyber incidents early on.
- Respond – this theme relates to managing incidents when they do happen.
- Recover – and lastly this is about recovery and business resilience following an attack.
Implementing the Baseline Standards doesn’t necessarily mean enormous investment in state-of-the-art technology. Each area of the framework should be implemented in a way that’s proportionate to the level of risk inherent in the operations of the PSB. Many of the controls that should be implemented are relatively low cost and high impact. For example – staff training and awareness, policy management, development of a cyber incident response plan and disaster recovery planning all contribute to significantly lowering an organisation’s risk profile. Indeed, many of these controls could have reduced the impact of the HSE cyber-attack.
Real example of how the Standards can mitigate the risk of a Cyber-attack in the public sector
The PWC report commissioned as a post incident review highlighted that malware (malicious software) had entered the IT environment via a phishing email which contained a file that was opened by the recipient. Training on Information and cybersecurity can help staff to recognise phishing emails. A lack of preparedness meant a slow response to begin with by the HSE with the Defence Forces and NCSC initially drafted in to provide some structure to the response. A third-party incident response organisation was then solicited to support the effort. A well-planned and practiced incident response plan is a key control measure that can limit the impact of a major incident and is a requirement of the Standards. Complimenting this, a disaster recovery plan is extremely important in limiting downtime and reinstating operations as quickly as possible. Of course, depending on the size of the PSB and the level of risk associated with its operations, there may be a case for investment in the IT environment and working through the Standards will help to focus where valuable resource should be targeted for maximum impact.
How to approach implementation of the Standards
Trilateral Research recommends that PSBs begin to take action now to assess their maturity against the Standards in order to plan and implement measures to address gaps. If the task is beyond the capacity or resource of the organisation, Trilateral Research, with its extensive expertise in public sector cybersecurity and data protection compliance, can assist by conducting a gap analysis against the framework and providing practical solutions such as:
- review and update of key policies and procedures;
- cybersecurity training for staff and board members;
- creation and management of information and systems asset register;
- recommendations on appropriate protective and monitoring solutions for your environment;
- drafting and practice of a cyber incident response plan; and
- disaster recovery planning.
Trilateral’s own cybersecurity specialist, Alan Mac Kenna who recently presented on the Irish National Cyber Security Strategy at the Cyber Security Conference 2022 in Dublin noted that “while adequate funding is an ongoing challenge for public sector bodies in meeting the requirements set by the baseline security standards, there are often immediate actions organisations can take to lower their risk profile. Identifying current gaps, addressing urgent actions and planning for maturing cybersecurity posture over time are essential first steps. As we’ve seen from the HSE cyber attack – the cost of underpreparing can eclipse the investment needed to address these challenges. The Cyber Security Baseline Standards are an excellent tool to help PSBs to prepare for the inevitable”.
Trilateral’s Data Protection and Cyber Risk Team includes data protection and information security specialists who are able to help in assessing your organisation’s security posture against the Public Sector Cyber Security Baseline Standards and identify a plan to lower your organisation’s risk profile. Contact our advisors today.