"Misguided" public sector security confidence placing organizations at risk

Public sector security practitioner sitting at a desk in a government office
(Image credit: Getty Images)

Public sector IT professionals appear to grossly overestimate their cyber security capabilities, experts have warned. 

John Smith, EMEA CTO at Veracode told ITPro that public sector IT professionals should remain vigilant amid a period of heightened threats, warning that some exhibit a “misguided” confidence over their ability to contend with attacks.

Smith’s comments come in response to a survey from Public Sector Executive (PSE) and Check Point Software which found a significant portion of IT professionals are highly confident about their security capabilities.

The survey from PSE was largely made up of government employees (62%), with many of the remaining respondents employed in the education (24%) and healthcare (18%) sectors. Of these, 56% were in IT leadership roles.

When asked about their organization’s security posture, 47% said they were confident their systems would find a breach, with 21% “very confident” a breach would be detected.

The study also revealed 64% of respondents were at least confident in their organization’s ability to establish if data theft had occurred, with 47% stating they were ‘confident’.

Phishing, malware, and human error were among the most frequently encountered threats among public sector organizations, respondents said. 

Only 35% thought web applications posed a significant risk to their organizations.

Public sector security confidence is misguided

Smith described the confidence exhibited by the respondents and their assessment of the threats they face as “misguided”.

He said the volume and sophistication of threats faced by public sector organizations at present means IT professionals should remain highly vigilant and avoid a culture of overconfidence.

“The public sector still has a lot of security issues to solve, with just under 82% of applications developed by public sector organizations containing at least one security flaw,” he warned.

Public sector security threats are rising

Organizations in the public sector were part of some of the most targeted industries in the first half of 2023, as per Check Point’s mid-year report

The research found government, education, and healthcare organizations were subject to the highest volume of attacks across this period, with some organizations facing 10,000 attacks per day, according to other reports.

The scale of the threat facing these bodies means it is important they foster a rigorous security culture and keep their security systems up to date to reflect the latest attack vectors.

Recent attacks on the British Library, Gloucester City Council, and the Fife NHS board all demonstrate the vulnerability of public bodies.

Matt Aldridge, principal solutions consultant at OpenText Cybersecurity, told ITPro that public sector bodies are particularly at risk of cyber attacks and that he isn’t confident in their ability to repel these threats.


Three essential requirements for flawless data protection whitepaper

(Image credit: Zscaler)

Discover how data context and classification become powerful when paired with full SSL inspection


A key concern for Aldridge is the traditional lack of alignment over emerging threats among public sector organizations, Aldridge warned.

"Public sector organizations are extremely vulnerable to cyber attacks as the private, operational and political data are a tempting target for malicious state and criminal actors alike,” Aldridge said.

“As networks go, the government is disjointed, containing many separate parts that are difficult to manage and secure. The vast attack surface is one factor, but the value in their data is another. For example, the sheer size and scope of the healthcare industry - plus the fact the public sector uses many contractors and outside parties - makes it a difficult task to manage and secure.”

Smith noted that the public sector has made considerable progress in addressing its security weaknesses. However, he emphasized there is still some way to go.

“The public sector has come a long way in strengthening security applications, but there is still more work to be done for government bodies to improve their cyber posture.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.