Avoiding an ’access all areas’ mentality

Government departments have a duty to make information accessible, yet they are also highly regulated given the sensitive information they handle.

With a variety of unique agencies, and critical data not only changing hands internally, but also via multiple third parties, it’s essential that these important organisations are able to access systems and share relevant data securely.

With the right credentials, a cybercriminal or malicious insider can easily gain access to government intelligence and other sensitive data, making it possible to escalate privileges and move laterally across systems to shut down public communications, critical services, infrastructure and supply chains, putting national security at risk.

Indeed, the potential impacts of a single, successful cyberattack against even one public sector agency can be catastrophic, as we’ve seen in two separate incidents affecting the National Health Service (NHS). 

Back in 2017, a ransomware attack involving the WannaCry variant not only resulted in £92 million of losses, but also led to the cancellation of 19,000 NHS medical appointments in the week following the attack. More recently, in August 2022, IT services provider Advanced – an organisation equipping 36 NHS trusts with operationally critical software – was hit by a separate ransomware attack, resulting in outages across NHS systems used for ambulance dispatches, out-of-hours appointment bookings, and emergency prescriptions, among others.

In this sense, cyber-attacks today present the very real possibility of life-or-death situations – something that unfortunately occurred in Germany back in 2020, when a woman died after her treatment was delayed as hackers attacked a hospital’s computers.

This is of course a terrifying reality that simply can’t be allowed to cascade. So, how exactly can government and public-sector entities work to better protect themselves from the threat of cyber-attacks whilst still successfully sharing critical data in a secure manner? 

The threat of privileged access

It is vital to recognise that many breaches and cyber-attacks begin with employees. 

Verizon's latest Data Breach Investigations Report reveals that human error is a contributing factor in four out of five breaches, with employees continuing to be susceptible to social engineering attacks and privileged access misuse. 

The latter can be particularly damaging. Typically defined as ‘administrators’, accounts with privileged access have the power to create, add or remove other user accounts, install software, change system settings, access sensitive databases, and much, much more. 

Normally this isn’t a problem. Yet in the wrong hands, these powerful credentials can be abused.

Threats often stem from external adversaries – cybercriminals that aim to acquire privileged account credentials through tactics such as spear phishing campaigns. However, insiders such as disgruntled employees may also go rogue, using their provisioned access to privileged accounts to steal or delete data, or do damage to internal systems. 

However, threats from privileged accounts aren’t always driven by malicious intent. Equally, some staff with privileged access credentials may not have been educated on cybersecurity best practices and in turn unknowingly make vital mistakes, putting sensitive data and systems at risk. 

Three solutions to improve access protection

To combat these threats, government entities need to avoid the ‘access all areas’ mentality and ensure their employees and third parties can safely access those IT systems they need to do their work, while simultaneously protecting valuable systems and data from attack, all without impeding productivity.

This sounds like a complex task. However, it can be achieved with an effective privileged access management strategy comprising three core components: 

1 – Privileged Access Management (PAM) 

PAM is an identity security solution that protects organisations from cyberthreats by mitigating unauthorised privileged access to key resources. Instead of demanding users prove their identity (typically with credentials), PAM adds additional security layers that determine which systems and resources each user can access, and with what privilege level. In other words, PAM ensures users are only able to access those systems they truly need, with the least amount of access privileges, for the least amount of time. 

2 – Privileged Process Automation (PPA) 

Creating users and managing privileges to make PAM successful can create huge workloads and in turn lead to mistakes, with either too much access being provisioned to the wrong group, or not enough access being provisioned to allow employees or third parties to work effectively. Here, PPA can be used to automate the management of access rights. When connected with central HR systems, new starters are automatically provisioned with the necessary user accounts and appropriate access rights.

3 – Privileged Endpoint Management (PEM) 

Limiting the number of administrator accounts is vital to reducing an organisation’s exposure to access-related threats. However, all user groups are likely to still require privileged access from time to time, downloading applications and software. To solve this issue, Privileged Endpoint Management (PEM) can be used to allow organisations to both easily remove administrator rights from users while also enabling IT teams to elevate privileges for specific users in specific instances. 

By embracing all three, organisations will be able to provide just the right level of access permissions needed to complete work-related tasks (PAM), reduce burdens on access control teams and eliminate errors with automation (PPA), and remove historically enabled local admin rights while elevating privileges for specific users where necessary (PEM). 

We’re talking about a critical three-pronged privileged access management strategy that can leave organisations well-placed to mitigate both internal and external threats. And with governments increasingly at risk of both malicious attacks and accidental data leaks, enhancing the security posture in this way should become a priority.