The public sector must improve its approach to cyber security

This article was first published in Svenska Dagbladet

To address the shortcomings highlighted by the MSB, the public sector needs to increase its ability to resist and respond to cyberattacks, say Anders Herrström and Herman Rask, information and cyber security experts at PA Consulting. 

The public sector's information assets are constantly exposed to state, criminal and ideologically motivated threats. Successful attacks can – in addition to damaging national security – lead to high financial costs and seriously disrupt the core business. The ability to withstand and face attacks must be increased.

The number of businesses affected by malware attacks has risen sharply in recent years. In parallel with the digitalisation of society, security policy developments have contributed to a sharply deteriorating situation. This has extensive and long-lasting consequences for Sweden's overall security policy at state, regional and municipal level.

In a recently published report, the Swedish Civil Contingencies Agency, MSB, has, in a commendable way, clarified the state of the public sector's work on information security. Unfortunately, the results show worrying shortcomings. At the time of the investigation, large parts of the public sector were not working systematically on information security. There were certainly some examples of positive work, but the survey generally shows clear shortcomings in the public sector's way of working on information security. Not least, there were shortcomings in management of business continuity and follow-up.

What is now needed is a change process with a focus on quickly developing a safer and more resilient public sector, which can deliver on its mission over time. The following three points are areas of particular concern.

Choose your IT solution based on the actual conditions
The information to be protected is often central to fulfilling a public mission and the services citizens need. In addition to strengthening resources, management needs to take active responsibility and ownership of the question of what risks are acceptable and how the business's information should be protected. The basis of the protection needed is set by management in their choice of the design of the IT business. Building functioning protection against threats requires access to qualified IT, operations and security resources. This is something that, for example, municipalities with limited IT budgets will not be able to do themselves. In particular, smaller municipalities and authorities should seek solutions in terms of skilled operational and security services, such as cloud services, from large established suppliers. These choices must of course be made within the framework of Swedish and European legislation on the handling of classified information and personal data. In this respect, Swedish authorities and municipalities need to find a common way forward.

Build security from top to bottom
The protection of a business's information must be built from the top down. The same information is likely to be found in several different places in an organisation. If the organisation does not have a common understanding of how important certain information is and how it should be protected, different parts of the organisation will make different assessments of how it should be handled. This creates a suboptimal and likely unnecessarily expensive security business. The work on security must be based on a common assessment of the information needing protection to ensure that the information has well-balanced and equal protection throughout the organisation. The highest level of municipal management should  ensure that everyone in the organisation has the same view of the business, its processes, dependencies and thus which information assets are important and need protecting. The operation and its purpose must be at the heart of the work on cyber safety.

Long-term change management is everything
Functioning information and cyber security measures are a prerequisite for maintaining trust in public administration during ongoing digitalisation. Politicians and officials at various levels must take responsibility for the country and citizens’  information and protect it from theft, corruption or misuse. This cannot be achieved through individual one-off actions. To create a safe business, work on systematic and long-term change is required with a total focus from the centre.

In summary, Swedish public administration needs to make a step change in its information security work to ensure our ability to carry out the activities citizens take for granted. This will not happen by itself – it is high time that information and cybersecurity are taken seriously.