The Importance of Cybersecurity Preparedness: 5 lessons learned from previous data breaches

 

---

In this article, our CISO, Paul Jenkins, discusses the 2021-22 breach of the UK’s Electoral Commission’s systems, which he says, “underlines the growing importance of robust cybersecurity measures for public institutions.” It also brings to the forefront several critical issues and lessons, which should be carefully noted – not only by governmental bodies but by any organisation entrusted with sensitive data.  

---

5 Lessons Learned

In this incident, which occurred between August 2021 and October 2022, the data of 40 million voters was compromised.

1. Audits Are Warning Signs, Not Just ‘Checkboxes’: 

The Cyber Essentials audit, which the Commission failed, was not merely a procedural hurdle but a clear indicator of potential vulnerabilities.  

“Ignoring these audits or not taking them seriously jeopardises the integrity and security of the entire system.”

The mention of the failed Cyber Essentials audit by the Commission underscores that audits are not just bureaucratic checkpoints but essential tools that identify potential weaknesses in an organisation’s cybersecurity posture. Neglecting or trivialising audits can have severe repercussions for the overall integrity and security of an organisations information systems. 

Tips: 

• Institutions should treat audits as critical insights into their cybersecurity health. 
• Post-audit, immediate action should be taken to remedy identified vulnerabilities. 

2. Outdated Software and Hardware: 

The revelation about the use of outdated software on staff laptops and unsupported iPhones is alarming.  

“Such outdated systems can easily become the weakest link, making the entire infrastructure vulnerable to attacks.”

Outdated hardware and software pose a significant risk to an organisations most critical systems and potentially exposes their entire network to potential cyber-attacks. Infrastructure that lacks essential security updates and patches makes an attractive target for malicious actors who are seeking weak points in an organisation’s defences. Addressing and modernising outdated systems is critical to maintaining an effective security posture that minimises the risk of a breach. 

Tips: 

• Always maintain a regular update schedule for all hardware and software. 
• Implement a system to phase out unsupported devices and applications promptly. 

3. Delayed Detection Is a Significant Concern: 

The fact that unauthorised access persisted for over a year indicates a lack of effective intrusion detection mechanisms.  

“The longer a malicious entity has undetected access, the more data they can compromise, and the more they can understand the organisation’s internal structures.”

Tips: 

• Invest in advanced intrusion detection systems. 
• Train staff to recognise and report potential signs of breaches. 

Undetected access by malicious actors over an extended period poses a growing threat. Deep infiltration into an organisation’s systems leads to more extensive data breaches as an attacker gains more understanding of an organisations internal structures and systems, and swift detection and remediation are essential to minimise the damage from compromise.

4. Transparency and Responsibility: 

Downplaying the significance of a breach, especially one of this magnitude, is not just a PR risk but also a massive trust risk.  

“Transparency in handling and reporting such incidents is paramount for maintaining public trust.”

Handling data breaches in a transparent and responsible way, particularly in the context of large-scale incidents, is critically important. Downplaying the impact and severity of a breach not only harms an organisation’s reputation but also often irreparably undermines the trust that stakeholders have in its ability to protect their data. 

Tips: 

• Create a crisis management plan that focuses on clear communication with all stakeholders. 
• Always prioritise the privacy and security of the individuals whose data you handle. 

5. Continuous Commitment to Cybersecurity: 

The Commission’s decision not to reapply for Cyber Essentials certification in 2022 certainly raises eyebrows.  

“While certifications are vital, the commitment to cybersecurity should be continuous and not just based on external validations.”

Certification should not be seen as the only indicator of an organisation’s commitment to cyber security, and indeed, the Commission’s decision not to pursue certification may reflect a shift towards a more comprehensive and internally-driven cyber security approach.

It is essential for organisations to strike a balance between internal cyber security practices and external validation and, while certifications can provide a valuable benchmark and help maintain a strong security posture, cybersecurity is an ongoing and dynamic process that should be a constant and integral part of an organisation’s culture and operations. 

Tips: 

• Continuously review and improve cybersecurity measures – irrespective of certifications. 
• Engage with experts and agencies, like the NCSC, for up-to-date insights and strategies. 

Summing it all up 

So, what can we learn from this?

This incident serves as a rallying call to all organisations. As cyber threats evolve, so should our defences.

Adopting a proactive and continuous approach to cybersecurity is not just a necessity; it is an imperative as our world becomes increasingly interconnected.