GPSJ - SPRING 2025 - Flipbook - Page 19
IT & IT SECURITY
GPSJ
The public sector’s cybersecurity blind
spot: Why data exposure is the real threat
By Simon Pamplin, CTO, Certes
Cyber threats to the UK
public sector are escalating.
From local councils and NHS
trusts to education providers
and policing bodies, public
services are being stretched
not just by limited budgets and
ageing infrastructure but also
by a rising tide of cyberattacks
that exploit those weaknesses.
While ransomware and phishing
grab the headlines, the biggest
long-term risk isn’t necessarily the
breach itself. It’s what happens
after the breach: when sensitive
data is exposed, ex昀椀ltrated, and
exploited, often without anyone
even realising until it’s too late.
We need to reframe the
conversation. The public sector’s
blind spot is no longer malware;
it’s data exposure, and the
looming threat of quantum
computing will only widen that gap
unless urgent action is taken.
The real threat isn’t entry —
it’s exposure
Most public sector cyber
strategies still focus on keeping
attackers out. Firewalls, intrusion
detection, and endpoint protection
are all necessary, but increasingly
insu昀케cient. Threat actors are
昀椀nding ways in, often via thirdparty suppliers, miscon昀椀gured
cloud services, or social
engineering attacks that bypass
even the best defences.
The truth is, a determined
attacker will get in. The critical
question is: what happens when
they do?
In too many cases, the answer
is simple — they help themselves
to vast volumes of unprotected,
sensitive data. Medical records,
housing applications, safeguarding
reports, bene昀椀ts claims — the
crown jewels of our digital public
services — all sitting on servers
without adequate data-layer
protection.
This isn’t hypothetical. The
NHS ransomware attack in 2022
exposed critical patient data.
Several councils have faced
data breaches linked to supplier
vulnerabilities. The public sector is
a goldmine for cybercriminals, and
right now, we’re making their job
far too easy.
The Quantum clock is
ticking
Add to this the quantum
computing threat, and the picture
becomes even more alarming.
Quantum computers, once
operational at scale, will be
capable of breaking today’s
widely used encryption standards.
That means encrypted data
stolen today can be stored and
decrypted in the future — a
strategy already being adopted
by sophisticated threat actors in
what’s known as “harvest now,
decrypt later” campaigns.
This delayed detonation threat
puts public sector organisations
on the frontline. Data that seems
safe today because it’s encrypted
may be completely exposed in
昀椀ve, ten, or 昀椀fteen years. And let’s
be clear: councils and NHS trusts
hold precisely the kind of longterm, high-sensitivity data that
adversaries are targeting.
If the public sector continues
to delay action, it is e昀昀ectively
sleepwalking into a quantumfuelled data breach crisis.
Time to prioritise Data
Protection and Risk
Mitigation (DPRM)
We need to stop thinking of
cybersecurity as an exercise
in perimeter control. The real
battle昀椀eld is data itself. That’s
where public sector strategy must
evolve with Data Protection and
Risk Mitigation (DPRM) at the
core.
DPRM is a forward-thinking,
data-centric approach that:
● Protects sensitive data
comprehensively, not just at rest
but in transit and in use
● Implements access controls
based on context and risk, not
just static permissions
● Reduces the impact of a
breach by rendering stolen data
inaccessible and unusable
● And crucially, prepares for a
quantum future, using
quantum-safe encryption
standards to protect data
beyond today’s threats.
Unlike large-scale IT overhauls,
DPRM doesn’t require the
public sector to rip and replace
legacy systems. It’s a layered,
complementary strategy that can
be introduced across existing
infrastructure (cloud or on-prem)
and scaled at pace.
This is data protection that
adapts to real-world constraints:
tight budgets, hybrid working, and
fragmented systems. DPRM is
about resilience through visibility
and control, not complexity and
cost.
Budget challenges are no
justi昀椀cation for inaction
Yes, public sector budgets are
under enormous pressure. But
when weighed against the costs
of a breach — reputational
damage, regulatory 昀椀nes, service
disruption, and legal claims
— investing in proactive data
protection becomes not just
justi昀椀able, but essential.
The reality is that the cost
of recovering from a breach is
almost always higher than the
cost of preventing one. And with
GDPR, FOI, and other compliance
requirements in force, failing to
safeguard citizen data isn’t just
risky, it’s unlawful.
DPRM allows organisations
to demonstrate accountability,
improve audit readiness, and
maintain public trust, all while
protecting the data that underpins
modern service delivery.
This is a leadership moment
The public sector has shown
remarkable innovation over the
last decade, from open data to
digital services, from AI in local
government to cloud-昀椀rst NHS
policies. But cybersecurity has to
catch up.
It’s time to be bold. Data is the
lifeblood of our public services.
Failing to protect it is not an
option, especially when the
solutions are available, proven,
and designed to work within
existing operational constraints.
Public sector leaders must act
now to:
1. Acknowledge the data
exposure threat — it’s already
happening, and quantum will
make it worse
2. Prioritise DPRM as a
foundational capability, not a “nice
to have”
3. Act now, not later, because the
data being stolen today could be
your organisation’s future crisis.
Let’s stop patching up the
perimeter and start protecting
what really matters. Let’s make
data protection a pillar of public
sector resilience now, and for the
quantum-powered future ahead.
Simon
Pamplin
GOVERNMENT AND PUBLIC SECTOR JOURNAL SPRING 2025
19
