Digital governments need to balance strong security with easy access, officials from the National Cyber Security Centre (NCSC), Local Government Association (LGA) and Norfolk County Council explained at the Digital Government conference in London last week.
On a panel session titled "building taller walls", representatives from the trio of public sector organisations argued that this has to be balanced against breaking down the barriers that can restrict the benefits of digital services.
"How you reconcile these things is really very important," said Sarah Pickup, deputy chief executive at the LGA. "What mustn't happen is that security concerns must not compromise the delivery of great, innovative and forward-thinking public services."
She illustrated her point by referring to an unnamed local council, which in its panicked reaction to a breach took down every one of its services, disrupting vital support that its citizens relied on and creating damage that took years to fix.
A better approach would be to prepare for such incidents through simulated attacks that people outside the IT team can attend. These would have the twin benefits of aiding disaster recovery in any future incidents, while also helping their more technical colleagues gain a deeper understanding of the services that they need to secure.
Ian McCormack, technical director of applied risk management at the NCSC, extends this collaborative approach to working with vendors. This recently led the centre to report a Windows vulnerability it had discovered to Microsoft, which resulted in the company taking the unusual step of releasing a security update for Windows customers.
"It's not about how high can we build those walls, it's about how we appropriately manage the risk," said McCormack.
Gaining public trust
Geoff Connell, head of information management and technology at Norfolk County Council and the head of the society for IT practitioners in the public sector (Socitm) added that it is essential for governments to gain the trust of the public if their digital services are to be effective.
"We have a higher moral obligation with the need to protect data, because citizens have no choice but to share much of it with us," Connell said. "And we need to retain trust, because we can't afford non-digital ways of working."
Pickup tries to achieve this by inviting non-technical employees of critical public services to its government cyber security group, and arranging cyber security training sessions targeted at chief executives and other local council leaders.
"What we tend to find is that, it's quite hard to get them in the door, but once they're in, they're really engaged and really understand and go back with a view to how they can address it," she said.
McCormack believes the best way to do achieve is to focus the security strategy on their biggest service concerns.
"They might care about the delivery of service, they might care about something else, and from a security practitioners point of view, it's our responsibility to help that translation between the technical to the things that actually those board members value," he said.
The LGA has applied this approach to its recent stocktake of cyber security arrangements at local councils, which eventually achieved a 100 percent response rate. Pickup learnt that there was a significant need for awareness training at the local government level, but she also observed enough good practices to give her hope for the future.
"In the best case scenario, I think progress will mean that there is a greater understanding and a reduced divide between those that understand and those that don't, because we'll be able to explain it better," she said. "And although the technology behind might be more complex, the presentation of it and how it appears to you will make it easier to navigate.
"The worst case scenario is the opposite, which is that the ability to explain doesn't keep up with the complexity, we can't translate what's behind into something that means something to people, and then the divide broadens, and we put ourselves at greater risk."