Cyber Threats Facing the Public Sector in 2024

According to the UK Government’s Cyber Security Breaches Survey 2024, UK businesses have experienced approximately 7.78 million cyber-crimes of all types and approximately 116,000 non-phishing cyber-crimes in the last 12 months.  

These shocking figures have prompted the Government to encourage all organisations to be much more vigilant about cyber threats and follow its guidance to strengthen cyber security practices – pertinent advice for almost all organisations, but, perhaps, especially for the public sector, which may have a higher likelihood of targeting compared to other sectors. This is due to several factors, including:

• Storing high-value data – the UK public sector holds vast amounts of sensitive information, including personal data, health records, financial information, and national security details. This makes it an attractive target for cyber-criminals, who can exploit this data for financial gain, espionage, or other malicious purposes.
• Providing critical services and infrastructure – many public sector entities, such as the NHS, local councils, and government departments, manage critical infrastructure. Disrupting these services can have widespread consequences, making them prime targets for malicious cyber-attacks like ransomware, where attackers demand payment to restore services.
• Complex IT environments – limited budgets, legacy software, and a hesitancy to install and learn new systems often means that public sector organisations operate on outdated or legacy IT systems that are more vulnerable to cyber-attacks. These systems may lack the necessary security updates or integration with modern cyber security tools, increasing the risk of exploitation.
• Diverse operations – the public sector encompasses a wide range of services, from healthcare to education and local governance. This diversity often leads to varied and unstructured cyber-security practices, along with due to challenges in implementing consistent security measures across different departments, creating vulnerabilities.
• High visibility – public sector organisations, especially government bodies, are highly visible and often targeted by cyber-criminals simply for the symbolic value of disrupting national services. Successful attacks on public institutions can generate significant media coverage, amplifying the attackers’ impact and bolstering their so-called ‘reputation’ amongst the hacker community.
• Political and ideological motivations – state-sponsored actors and hacktivist groups may target the public sector for political or ideological reasons. These groups may aim to destabilise governments, steal state secrets, or make political statements through cyber-attacks.
• Digital services expansion – the ongoing digital transformation in the public sector, while driven by initiatives to improve efficiency and service delivery, also comes with the added risk of increased attack surface. The adoption of online services, cloud computing, and remote working tools creates new vulnerabilities that cyber-criminals can exploit.
• Third-party risks – the public sector often relies heavily on third-party vendors and contractors for various services, which can introduce additional cyber-security risks. Attackers may exploit weaker security measures in these third parties to gain access to public sector networks.

Managing cyber risks for public sector organisations

The National Cyber Security Centre (NCSC) has consistently highlighted the fact that the UK’s public sector faces a significant threat from cyber-attacks, many being increasingly sophisticated and targeted. Indeed, high-profile incidents like the WannaCry ransomware attack on the NHS in 2017 demonstrate the public sector’s susceptibility to cyber-attacks, with such incidents causing not only operational disruption, but also having long-term impacts on public trust and confidence.

Top cyber security risks for the public sector include:

Ransomware: Ransomware is a type of malware that encrypts an organisation’s data, rendering it inaccessible until a ransom is paid. Public sector organisations, especially those in healthcare and local government, are prime targets due to the critical nature of their services and the potential for significant disruption. To mitigate this risk, it’s important for public sector organisations to view endpoint security and ongoing user education as a high priority.

Phishing and social engineering: Phishing involves tricking individuals into revealing sensitive information, such as log-in credentials or financial details, often through deceptive emails or websites. Social engineering exploits human psychology, manipulating individuals into performing actions or divulging confidential information. Phishing attacks are particularly effective in environments where employees lack comprehensive and regular cyber-security training.

Insider threats: Insider threats arise when employees, contractors, or other trusted individuals misuse their access to systems and data. This can be intentional, such as a disgruntled employee leaking information, or accidental, such as mishandling sensitive data. Insider threats can lead to data breaches, loss of public trust, and financial damage, and it’s important for public sector organisations to control and monitor access via privileged access management (PAM) and privileged identity management (PIM) solutions. Enhancing a PAM solution with PIM ensures that permissions will be assigned just in time, and for a time-bound duration, ensuring privileges are not active any longer than necessary. A well-implemented joiner, mover and leavers (JML) process with links to wider HR and IT access is also crucial to mitigate this risk.

Legacy systems: Many public sector organisations rely on outdated or legacy IT systems that are no longer supported by vendors. These systems often lack the latest security patches and, thus, are more vulnerable to exploitation. End-of-life (EOL) and end-of-service (EOS) applications should be replaced or upgraded to a newer solution with ongoing support, patches, and updates. If this isn’t possible, additional security measures must be put in place, e.g., managing access to the system, isolating EOL systems from other applications, and removing them from the internet.

Supply chain attacks: Supply chain attacks involve targeting less secure elements of supply chains, e.g., third-party vendors or contractors, to gain access to a larger organisation’s systems. This type of attack can bypass direct security measures by exploiting vulnerabilities in connected systems. With public sector IT environments becoming increasingly complex and sophisticated, and with it being common for the public sector to work with multiple third-party suppliers, it’s important that organisations enable strong logging and monitoring capabilities for all systems, software, and endpoint devices, as well as stringent third-party security due diligence.

Distributed denial of service (DDoS) attacks: DDoS attacks involve overwhelming an organisation’s online services with traffic, rendering them unavailable to legitimate users. These attacks can be politically motivated, designed to disrupt public services or even protest government actions. Mitigating DDoS attacks requires a combination of proactive planning, technical and layered defences, and ongoing monitoring; these are all vulnerability management services which combine technology, strategy, and human expertise.

Can AI and machine learning help?

It would feel remiss these days not to mention the ways AI and machine learning (ML) technologies are helping organisations to improve their defenses, detect threats more efficiently, and respond more effectively to cyber incidents – and this is technology with huge potential for public sector, especially when it comes to being more proactive.

It’s likely that, as cyber threats continue to evolve, the adoption of AI and ML will be increasingly critical in safeguarding the public sector’s digital infrastructure, making an impact on many of the top cyber risks listed above, for example:

Threat detection and response: AI and ML algorithms can analyse vast amounts of data in real-time to identify potential threats. Unlike traditional systems that rely on predefined rules, this technology can learn from data and detect anomalies that might indicate a cyber-attack, such as unusual network traffic or irregular user behavior. Additionally, ML models can create baselines of normal behavior for users and systems. When deviations occur, such as unauthorised access attempts or unusual data transfers, the system can flag these as potential security incidents. This proactive approach helps in identifying threats that may not be detected by conventional methods.

Phishing prevention: ML and AI-driven email filtering tools use natural language processing (NLP) and pattern recognition to detect phishing attempts. These systems analyse the content, context, and sender information to identify and block phishing emails before they reach employees. More than this, ML models continuously learn from new phishing attempts, improving their accuracy over time. As attackers evolve their techniques, AI systems adapt to recognise even the most sophisticated phishing schemes.

Automated incident response: security orchestration, automation, and response (SOAR) platforms may leverage AI to automate the response to detected threats. Once a threat is identified, this tooling can trigger predefined actions, such as isolating affected systems, alerting security teams, and initiating mitigation protocols. By automating responses, the time between detection and action is minimised, reducing the potential damage from cyber incidents. This is particularly valuable in the public sector, where rapid response is critical to maintaining service continuity.

Final word

Remember, for the public sector, having a robust cyber security incident response plan in place is not just about protecting systems and data—it’s about safeguarding public trust, ensuring the delivery of critical services, and complying with legal and regulatory obligations.

A robust contingency plan provides a structured approach to managing cyber incidents, enabling organisations to respond quickly and effectively, and thereby minimising any damage while ensuring a swift recovery.

At Littlefish, for example, we undertake cyber crisis tabletop exercises with our customers, to help them identify different risk scenarios and prepare for them. This activity also allows organisations to evaluate whether the incident response plan currently in place works effectively in the event of a cyber incident.

It might also help organisations to put in place what we call a ‘Critical Hour Framework’ (CHF) – that is, a defined and agreed-upon playbook of actions designed to be undertaken within the first hour of a cyber incident taking place to minimise disruption and contain any threats.

Get in touch to discover more about Littlefish’s cyber services and how we can help protect the public sector by implementing a robust and cost-effective cyber strategy.