The new playbook for public sector cybersecurity

Jason Stevens

In the recent Verizon paper, Decoding a hacker’s playbook in public sector cybersecurity,CTRL Group’s co-founder and chief product officer, Bastien Treptel, joined Innovation publisher Corrie McLeod, to discuss public sector decision makers’ unique cybersecurity challenges. 

“Major banks work on the ethos that harmful agents are already inside their system,” says Mr Treptel, “and they’re monitoring and trying to limit the damage.”

“The renowned ethical hacker warns this isn’t just a private-sector concern; he urges public sector agencies, especially the smaller ones, to acknowledge and act upon it.

Mr Treptel cautions that “despite the prevalence of zero-trust security models, they are still vulnerable to sophisticated reconnaissance tactics”. 

Public security stakeholders are heavily focused on malicious software exploits. This includes the recent WannaCry ransomware incident crippling the UK’s NHS, costing over $100 million and disrupting services. The breach highlighted the government’s unpreparedness and vulnerability to undetected, prolonged cyber-attacks. 

However, Mr Treptel notes the growing importance of human risk factors, mentioning how easy it is to infiltrate council organisations by posing as cleaners or other staff for example: “I do have a police record, yet I’m still in there cleaning.”

From individual hackers to state-sponsored actors, each brings different tactics and objectives, making the cybersecurity landscape complex.  

Their social engineering exploits are becoming more nuanced and sophisticated. Hackers may gather information about targets, such as executives or IT managers, from social media and councils. “Technological systems are vulnerable,” he says, “but so too are the human elements in the organisation.”  

Australian public agencies are working towards updating their technology. They aim to enhance the experience for citizens and employees by improving their computer systems. More than half of their efforts enhance customer service, and the rest make their systems more resilient and reliable. 

While the concept of a zero-trust future in the public sector is gaining traction, Mr Treptel cautions that it’s not a panacea. The human element, often the weakest link, is regularly overlooked. “I’ll often go after company directors at home, infect them, and then take them to work.”

His approach drives the need to extend the security perimeter beyond the office environment, especially as artificial intelligence (AI) escalates to zero-trust battlegrounds. 

AI, he warns, lowers the entry barrier for diverse cyber criminals with a 69 per cent year-on-year increase in attack types like ransomware. 

“People with no development experience can now write a zero-day exploit,” said Mr Treptel. Now, it’s more accessible for attackers to launch sophisticated cyber threats, placing an added burden on cash-strapped agencies. 

AI systems monitor platforms like LinkedIn to target new employees in an organisation when they share that they’ve started a new role. 

Even if funding is tight, public organisations can still protect themselves online by making intelligent choices about where to spend their money.  

In the paper, Mr Treptel notes the uneven distribution of resources: “You have giants like the Department of Foreign Affairs; then there are smaller agencies feeling left out, saying ‘nobody loves us’.”

This shows why each government area needs a cybersecurity approach tailored just for them. And it’s essential to ensure that every bit of spending helps handle the principal risks and goals of the organisation. 

“Hiring in the public sector,” Mr Treptel suggests, “Should be driven by mission, not money.” Other affordable strategies outlined in the paper include continuous education to boost vigilance, proactive updates, and hygiene to maintain defences. 

Mr Treptel also suggests it’s time for a significant change in how we keep public digital information safe. He thinks we should stop using passwords and start using more advanced options like passkeys. 

He also wants to change how we handle online identities, recommending a single, secure digital identity system for everyone, similar to what Norway and India use. 

The future, says Mr Treptel, lies in collaboration, creative thinking, and a shift in how we approach cybersecurity.  

“We need to look beyond traditional defences. Small and medium-sized government agencies can lead in cybersecurity by embracing proven, innovative strategies and industry partnerships.”

Collaboration opens an army of skilled cyber engineers to help map out organisational layouts and spot any weak links or potential entry points for invaders.  

Ultimately, public sector entities must ‘assume nation-state and work backwards.’ This approach fosters a defensive mindset, preparing agencies to effectively counteract even the most sophisticated threats. 

This interview and article were produced by in partnership with Verizon. 

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories