Why people are at the heart of protecting citizen data

THE PEOPLE’S DEFENCE

Nearly every organisation, in every sector, is at risk of being attacked by cybercriminals. The public sector is no exception. And the attacks it faces are becoming more numerous, more ingenious and potentially more dangerous. Making progress to a world of deeper and richer digital interactions between citizens and government should be a priority for public sector agencies. Success depends, mostly, on citizens trusting agencies. And the security of their data is the foundation for building trust.

2 THE PEOPLE’S DEFENCE www.accenture.com/peoplesdefence

3 THE PEOPLE’S DEFENCE www.accenture.com/peoplesdefence

The impacts can be devastating, with attackers able to gain access not only to sensitive data but, in some cases, to system controls and critical infrastructure.

Unfortunately, there’s no single solution or technology that can mitigate all these threats. That’s the bad news. The good news? The right combination of technology, processes and people can considerably strengthen defences and counteract many of the risks to create real resilience. But to succeed, every one of those elements has to be working together at the top of their game.

Focus on peopleInterestingly, the area that is most often and easily overlooked is people. But it’s imperative to focus on the human aspect of security. In 2018, companies saw the costs related to malware and malicious insiders increase by an average of 13% globally, accounting for one-third of all cyberattack costs.1 Accenture research2 shows that public service employees have the potential to derail even the most technically hardened defences.

Encouragingly, public sector employees appreciate the importance of keeping citizens’ data secure, with more than 85% describing it as very important to them. An even higher proportion, around nearly 90%, say their organisations’ cybersecurity measures are sufficient to protect citizen data. But Accenture also found a disconnect between the high degree of reliance that employees place on their organisation’s security measures and the extent to which individuals take personal responsibility for their own role and contribution.

On average, less than half said they felt completely responsible for keeping citizen data secure yet a similar number strongly agreed that cybersecurity was embedded throughout their agency’s culture. What’s more, Accenture research shows that only 16% of Chief Information Security Officers (CISOs) globally recognise that individual employees are also responsible for cybersecurity.3 These findings highlight the potential for ‘moral hazard*’. Essentially, if employees believe that they are fully protected by the technology that guards against data breaches, they will become less vigilant and exhibit riskier behaviour, assuming that they are already covered.

Government agencies are primarily relying on passwords, training and technology to secure citizen data. And of course, those are all important. But they’re necessary, not sufficient. The most sophisticated technology can be bypassed or rendered ineffective if the people using it are not behaving in the right way and assuming real accountability for keeping their organisation’s data safe. So while systems and processes need to evolve in line with a constantly morphing threat landscape, people must change what they do and how they behave, too. The welcome news is that nearly 90% of public servants said they wanted to be involved in keeping citizen data secure. So how can agencies act on that positive attitude and help employees stay responsible and vigilant?

*What is moral hazard?The concept of moral hazard originates from the insurance industry. It describes how when insurance is in place and risk is shared or pooled, individuals’ or groups’ behaviour can become less risk-averse as they believe the consequences will be borne by others.4

For public sector organisations, threats to data, citizens and government are real and arising from many different actors – ranging from the hacker operating alone to highly organised and well-funded state-sponsored attackers.

4 THE PEOPLE’S DEFENCE www.accenture.com/peoplesdefence

Steps to resilience: how to make people a key part of the security mix

In short, they should build resilience from the inside-out. Leading CISOs across all industries agree. While three quarters say that they operate security as a centralised function today, a similar percentage agree that security staff and activities need to be decentralised throughout the organisation to truly permeate cybersecurity.5

Every chain, no matter how strong across most of its links, will only ever be as robust as its weakest point. And the findings of our research show that organisations’ culture and workforce could be a key vulnerability. To address that potential weakness, government agencies should look right across the chain to link technology, processes and people.

They should develop a holistic strategy that pulls together all the separate elements of their security posture to minimise and respond to breaches. Rather than thinking about building a strong perimeter, what’s recommended is a more layered approach. For example, if a perpetrator gets through one line of defence, they’ll hopefully get stopped at the next or the next. To do that organisations should:

• Develop a safety culture across the workforce

• Adapt to changing threats

• Engage the power of Human+ workers

• Operate (and secure) beyond boundaries

Agencies should champion cultural and pragmatic behavioural change to strengthen resilience, maximise the efficiency of their technology safeguards, and ensure that people don’t become the weakest link.

5 THE PEOPLE’S DEFENCE www.accenture.com/peoplesdefence

Develop a safety culture across the workforce

Achieving that requires a fundamental cultural shift and education. And in some agencies, there’s clearly some way to go: a quarter of public servants surveyed are still writing down their usernames and passwords, and keeping those notes close to their computer. Accenture also found that employees at organisations that did not provide cybersecurity training programs were less likely to feel involved in keeping citizen data secure. And while most employees agreed that their agencies had a cybersecurity recovery plan in place, a significantly lower proportion said that they were aware of what to do in the event of a disaster or emergency.

When trying to embed security across the organisation, it’s important to recognise that not every role has the same exposure to security challenges or deals with sensitive data that might be attractive to would-be intruders. Developing a security curriculum that’s tailored to specific roles and key persona is therefore essential. Employees at agencies that do not provide cybersecurity training programs are less likely to feel involved in keeping citizen data secure, with 65% at those agencies saying they feel involved compared to 92% of employees at agencies that have training in place.

It’s also important to try new techniques. For example, gamification is a great idea that is proving really successful at Accenture in helping to engage people in reality-based training. And all activities have to be tightly integrated with a threat intelligence service

that can help adjust communications, training and polices to stay current with emerging threats that are changing all the time.

Raising behavioural awareness is essential. People tend to believe the best in others, and that most are trying to do the right thing. Generally, employees are aware of but not highly concerned about security breaches. Just 17%, on average, said they were very worried about breaches, compared with nearly 50% who said they were either not very or not at all concerned. And while no-one should try to create an environment that’s suspicious by default, healthy scepticism is important to raise awareness of risk. Adding security drills to routine operations, in much the same way that fire drills are carried out today, can help heighten employee awareness. Simulated social engineering and phishing attacks can also highlight to employees how easy it is to make a mistake. They give employees a first-hand experience of what it feels like to be taken in, and that will likely drive home lessons more effectively than other, more familiar, forms of learning.

Creating the right incentives could be important, too. Rewards for adopting the right cybersecurity behaviours can be a powerful lever—but it’s something that only about 41% of organisations do today.6

Robust policies and procedures are important. But they’re only the first step. They have to become part of business as usual, embedded and ingrained in how everyone operates, every day.

6 THE PEOPLE’S DEFENCE www.accenture.com/peoplesdefence

Adapt to changing threats

As public sector agencies adapt to a constantly changing environment, they should think carefully about agility and flexibility to stay ahead of change. As they incorporate new technologies to take advantage of opportunities to connect with citizens and deliver new experiences, they also need to think through how those changes make their organisation more vulnerable.

Reviewing, validating and updating security strategies has to focus on what’s important for the agency to protect, but also should consider what might be of value to a potential adversary. They’re often not the same thing. As agencies determine what their most valuable data assets are and prioritise their defences accordingly, they would also need to take care not to miss what threat actors, both state and private, may find attractive targets.

Creating a resilient organisation is not a ‘one and done’ exercise. It’s a process of constant adaptation.

7 THE PEOPLE’S DEFENCE www.accenture.com/peoplesdefence

Engage the power of Human+ workers

But to be even more effective, technology has to be put to work to augment people’s skills, empowering them to operate and respond in new ways and achieve more than they can alone. What Accenture calls the ‘Human+ worker’8 is able to operate alongside smart technologies, harnessing and acting on the insights that only Artificial Intelligence (AI) and advanced analytics can provide.

By analysing patterns of human behaviour, AI can detect threats that would otherwise be almost impossible to spot. User and Entity Behavioural Analytics (UEBA) solutions look at thousands of data points from across internal systems against known patterns of normal and abnormal behaviour to detect a threat in real time.9 For example, a series of emails sent to an unusual address, at unusual times for the user, may coincide with a series of financial transactions to an unknown account, which together could flag potential money laundering conducted via a cyber-attack gaining access to a user’s account.

The real power of solutions like these come from their integration with human abilities in a seamless interface between humans, machines and systems. There are aspects of cybersecurity that can be completely automated and executed by AI. Other tasks, for example some vetting processes, rely almost completely on human abilities and insights. But there are plenty more that are best addressed by machines and people working together, creating the layers of resilience that can minimise the chances of intruders penetrating far into an organisation.

Advanced technologies are certainly important to protect against increasingly sophisticated attackers – and there’s an overwhelming consensus that they are essential for a secure future.7

8 THE PEOPLE’S DEFENCE www.accenture.com/peoplesdefence

Operate (and secure) beyond boundaries

For the public sector, building an ecosystem of partners is essential to deliver to the fast-changing needs of citizens. Making those ecosystems as secure as possible is a responsibility that extends to every partner. But nearly half of those relationships are inadequately protected. Close to 45% of companies say they rely on third parties’ protocols or simply trust them to protect information that they share.11

Ensuring truly robust public services means building an ecosystem of partners with a focus on collaboration, learning and the development of trust. Only then can organisations tap into the latest technology, training and techniques to enhance their cyber resilience at speed and scale.

Few, if any, organisations in today’s world operate as standalone entities and 84% of executives say the amount of sensitive or confidential data exchanged with ecosystem partners will increase or significantly increase in next three years.10

9 THE PEOPLE’S DEFENCE www.accenture.com/peoplesdefence

For more information

Chris McNally Managing Director Accenture Health & Public Service Security Australia & New Zealand chris.mcnally@accenture.com

Joseph Failla Managing Director Accenture Security Lead Australia & New Zealand j.failla@accenture.com

Angelo Friggieri Director Accenture Federal Public Service Security Australia & New Zealand angelo.friggieri@accenture.com

Brian Lee-Archer Managing Director Accenture Government and Health Industry Australia & New Zealand brian.lee-archer@accenture.com

10 THE PEOPLE’S DEFENCE www.accenture.com/peoplesdefence

References

1. https://www.accenture.com/us-en/insights/security/cost-cybercrime-study

2. To take a closer look at the cybersecurity perceptions, attitudes and behaviour of public sector employees, we surveyed nearly 2,000 local and federal government employees in the UK, US, Canada and Australia between November and December 2018.

3. https://www.accenture.com/us-en/insights/security/securing-future-enterprise-today

4. Moral Hazard in the Insurance Industry, van Wolferen J, Inbar Y and Zeelenberg M, 2013, Netspar, Tilburg (NL), https://www.researchgate.net/publication/235988864_Moral_hazard_in_the_insurance_industry

5. https://www.accenture.com/us-en/insights/security/securing-future-enterprise-today

6. https://www.accenture.com/us-en/insights/security/cost-cybercrime-study

7. https://www.accenture.com/us-en/insights/security/2018-state-of-cyber-resilience-index

8. https://www.accenture.com/us-en/insights/technology/future-of-work

9. https://digitalguardian.com/blog/what-user-and-entity-behavior-analytics-definition-ueba-benefits-how-it-works-and-more

10. https://www.accenture.com/us-en/insights/security/securing-future-enterprise-today

11. https://www.accenture.com/us-en/insights/security/securing-future-enterprise-today

11 THE PEOPLE’S DEFENCE www.accenture.com/peoplesdefence

About AccentureAccenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With 482,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com.

Copyright © 2019 Accenture All rights reserved.

Accenture and its logo are trademarks of Accenture. 190796

About Accenture Security Accenture Security helps organisations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture help organisations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates.