While the UK’s public sector is on the front line of a global escalation in cyberattacks, the number of breaches leading to service disruption, data loss and additional costs to rebuild and restore systems are unacceptable and unnecessary. A lack of expertise, insufficient procurement rigour and a herd mentality have led to over-reliance on a handful of vendors, ubiquitous infrastructure models and identical security vulnerabilities that are quickly and easily exploited. 

Budgets are adequate. Better, more affordable and secure technologies are mature and proven. As Mark Grindey, CEO, Zeus Cloud, argues, it is the broken tender process that is fundamentally undermining innovation and exposing the public sector to devastating security risk.

Broken Systems

There is no doubt that the UK’s public sector organisations are facing an ever-growing security threat. Alongside public bodies in every developed country, state-sponsored attacks are designed to undermine the delivery of essential services. And the cost to recover from these cyberattacks is devastating, with councils spending millions to recover from ransomware attacks in recent years.

The ever-rising threat level is, however, just one part of the story. While public sector bodies are prime targets due to the level of sensitive data held, the impact of attacking critical infrastructure and the appeal of targeting a high-profile organisation, not every public body is enduring repeated downtime as a result of breaches.

Nor does a single hack automatically affect every part of the organisation, leading to a disruption of vital services for days, even weeks. So, what differentiates those organisations, such as Bexley Council and Bedford Council that have a good cyber security track record, from the rest? And, critically, what is the best way to propagate best practice throughout the public sector to mitigate risk?

Broken Tender Process

The issue is not budget. The public sector may constantly claim a lack of funding but money is not the root cause of inadequate security or inconsistent service delivery. The problem is how that money is spent. Despite attempts to improve the rigour of public sector IT investment, the current tendering process is fuelling misdirected and excessive spend.

In theory, an open tender model should ensure that money is well spent. It should guarantee the service is delivered by the best provider. In reality, the vast majority of contracts are allocated to the same handful of large organisations. Which would be fine, if the services delivered were top quality, highly secure and fairly priced. They are not. The public sector is routinely charged three times as much as the private sector for equivalent IT deployments. Three times as much. 

In addition to this endemic overspending, the reliance on a small number of vendors radically increases the security threat due to the ubiquity of infrastructure models. When the majority of public sector organisations have relocated to the same public cloud hyperscaler and adopted identical security postures, it is inevitable that a breach at one organisation will be rapidly exploited and repeated in others. 

Inadequate Rigour

The current tender process completely lacks rigour. Given the continued security breaches, why are these vendors not being held to account? Why are they still being awarded new contracts? Indeed, why are they winning the business to rebuild and recover the systems damaged by a security breach that occurred on their watch? When other Managed Services Providers and cloud platforms can offer not only better pricing but a far better security track record. Something is clearly going very wrong in public sector procurement.

The public sector is complicit in this overspending: any vendor attempting to come in and charge a lower (fair) amount is automatically discounted from the tender process. Why? There are multiple reasons, not least that the public sector has been ‘trained’ by the IT industry to expect these inflated costs, but there is also a reliance on dedicated Procurement Officers who lack essential sector expertise. Why for example, is every single system used by Leicester City Council located on the same public cloud platform? It should be impossible for a system breach to extend and expand across every single part of the organisation yet by failing to understand basic security principles, the council set itself up for expensive failure. 

The lack of expertise is a serious concern. Continued reliance on large IT vendors has resulted in many public sector organisations becoming dangerously under-skilled. Given the lack of internal knowledge, organisations often turn to incumbent vendors for information to support the tender process, leading inevitably to further price inflation. Furthermore, when a crisis occurs, reliance on a third party, rather than in-house expertise, leads to inevitable delays that exacerbates problems and results in additional cost to repair and restore systems.

Overdue Oversight

The situation is enormously frustrating for IT vendors with the expertise to deliver lower cost, secure systems. The mis-directed spend has left public sector bodies woefully out of date. Not only are security postures frighteningly old fashioned; but there are unacceptable delays in vital service delivery innovations that would transform the citizen experience and provide operational cost savings.

Given the escalating pressures facing all public sector organisations, change is essential. In-house expertise must be rebuilt to ensure sector experts are involved in the procurement process and pricing expectations must be immediately overhauled: avaricious IT vendors will continue to over charge unless challenged. One option is to appoint an outsourced CTO with broad public and private sector expertise, an individual with the knowledge and experience to call out the endemic over charging and sanity check the procurement process.

It is also important to move away from the herd mentality. Would, for example, an on-premise private cloud solution be a better option than a public cloud hyperscaler? What is the cost comparison of adding in-house security expertise rather than relying on a third party – factoring in, of course, the value of fast response if a problem occurs. It is telling that the handful of local authorities with a good security track record have not adopted the same big vendor, public cloud approach but applied rigour to the procurement process to achieve a more secure and cost-effective approach. Others could and should learn from these organisations. 

Conclusion

Good, effective IT systems underpin every aspect of public sector service delivery and, right now, the vast majority are not fit for purpose. It is, therefore, vital to highlight and celebrate the good performers – and challenge those vendors that continue to overcharge and underperform.

Sharing information between organisations, both to support strategic direction and day to day risk mitigation, is vital to propagate best practice. Critically, by pooling knowledge and expertise, the public sector can begin to regain control over what is, today, a broken model. While the public sector continues to flounder with inadequate security and a lack of knowledge, the IT vendors will continue to win. They need to be held to account and that can only happen if public sector organisations come together to demand more and hold the industry to account.

This kind of high-profile breach made headlines globally, and naturally highlights the need for stringent security measures when handling organisational data – especially the type of sensitive genetic information that 23andMe is responsible for. Further, although the hacker appears to have to use a tactic known as credential stuffing to access 23andMe’s customer accounts, it does pose wider questions to organisations, IT managers and security experts about the security measures that are used more generally to keep organisational and consumer data safe from threat actors? With a key question for many organisations today surrounding that of where and how they host their data – especially when you consider 23andMe’s data has reportedly been stored solely on cloud servers? 

Mark Grindey, CEO, Zeus Cloud explains that one way that organisations can mitigate similar risks is by implementing on-premises and hybrid cloud solutions. He covers how these technologies can play a vital role in safeguarding organisational data – such as 23andMe’s important genetic data – and shares insights about the key steps organisations can take to be more secure.  

Achieving direct control of data

In 23andMe’s case, its compromised ‘DNA Relatives’ data holds immense value and is extremely sensitive. This is because it enables individuals to connect with potential relatives based on shared genetic information. However, this kind of valuable data often becomes a target for cybercriminals, who are seeking to exploit it for various purposes: including identity theft, fraud, and other nefarious activities. Therefore, to protect this type of information, organisations need to implement robust security measures that ensure the confidentiality, integrity, and availability of the data. 

On-premises solutions enables part of this protection to take place effectively and involves hosting data and applications within an organisation’s own physical infrastructure. This approach gives organisations direct control over their data and allows them to implement rigorous security protocols. For instance, by keeping genetic data on-site, an organisation like 23andMe is able to secure it behind multiple layers of firewalls and intrusion detection systems, reducing the risk of external breaches. Additionally, access to this data can be restricted to authorised personnel only, minimising the potential for internal data leaks. 

Another school of thought that is worth considering, for many organisations, is to use hybrid cloud solutions. This approach combines the advantages of on-premises and cloud-based services. Organisations can use public or private clouds appropriately to store non-sensitive data while keeping sensitive information – like genetic information in 23andMe’s case – on-premises. This method provides organisations the flexibility to scale resources and accommodate fluctuating user demand, while still maintaining strict data control. When set up and configured correctly – using encrypted connections and robust authentication mechanisms – hybrid cloud solutions ensure that secure data transmission between the on-premises and cloud environments takes place. 

Steps Towards Preventing Data Breaches

While implementing on-premises and hybrid cloud solutions can significantly reduce the risk of data breaches and unauthorised access to data, there are several other crucial steps and techniques that organisations can take and make use of to secure and protect data from breaches. 

Obvious as it may seem to many in the industry, today it is vital to encrypt data during the storage and transmission thereof. This renders compromised data meaningless to unauthorised users, even if threat actors manage to gain access to it. Implementing multi-factor authentication is vital too. It strengthens access controls and adds an extra layer of security. Users trying to access data should, effectively, be required to provide multiple forms of verification, such as passwords, biometrics, or smart cards to access their data genetic data. In 23andMe’s case, while they do offer this approach to their users, perhaps the use thereof should be made to be mandatory given their recent breach?

Aside from this, it is recommended that organisations conduct frequent security audits to identify vulnerabilities and ensure compliance with industry standards and best practices. This involves testing the effectiveness of security protocols and promptly addressing any discrepancies.

Finally, no robust security framework is complete without equipping employees with proper training and awareness about their responsibilities towards securing data and protecting it. Regular security awareness programmes help staff understand their roles and responsibilities in protecting data. 

Even though 23andMe claims that it exceeds industry data protection standards and has achieved three different ISO certifications to demonstrate the strength of its security program, and that it actively routinely monitors and audits its systems, an incident like this, along with the PR and media attention that it has gained, will undoubtedly have caused its team to evaluate all of its security parameters including the further training of its team in order to ensure this doesn’t occur in future.  

Conclusion

23andMe’s recent data breach serves as a wake-up call for organisations handling data, especially sensitive genetic information provided by consumers. This kind of incident will have naturally caused it to reconsider its security policies and approach towards securing organisational and customer data. Today, as other organisations consider their approach towards security and protecting data, many will review where and how their data is stored, managed and accessed. 

This is especially true of banks, telcos, insurance companies and many other kinds of firms. On-premises and hybrid cloud solutions provide powerful and effective options here too. They enable organisations to fortify their security measures and protect against potential data breaches. 

The combination of direct control over data provided, along with tools and tactics like encryption, multi-factor authentication, security audits, and employee training creates a comprehensive defence against unauthorised access of organisational data. All of which the likes of 23andMe, along with many other organisations, will be considering and prioritising as they strive to adopt more robust security measures that ensure the privacy and integrity of organisational, and consumer, data.

Here is a quick round-up of my top eight trend predictions for 2024.

1. Internet of Things (IoT)

According to recent Deloitte research, 86% of surveyed manufacturing executives believe that smart factory initiatives will drive competitiveness over the next five years. I have been and remain similarly bullish on IoT. Not only has HPE been working on digitally connected, Factory of the Future solutions for years now, but I am also confident that it will power many use cases across multiple industries, such as media content network optimization and energy management systems for utilities, and smart point-of-sale terminals in banking.

2. 5G/Wi-Fi 6

Following years of exploration and build-out, the 5G market will continue to gain in real commercial deployments in 2024. However, I don’t see it replacing Wi-Fi 6, which is the latest generation of Wi-Fi.

Instead, these two methods of connectivity will continue to coexist, given that each is advantageous for different use cases. For example, IoT will rely on 5G, whereas Wi-Fi will be the method of choice in enabling secure banking. OEMs across industries need to develop converged solutions that leverage both 5G and Wi-Fi to keep capturing market share.

3. Edge computing

Edge computing has been a core focus area for HPE since 2016, when “Intelligent Edge” was announced as the year’s theme at HPE Discover. In 2018, HPE invested a further $4bn into Intelligent Edge technologies and services. And going into 2024, I am still betting on edge computing.

To make the best decisions, data needs to be captured, processed, stored and—most importantly—analyzed in real-time at the edge. The benefits are numerous, including lower latency, reduced cost, and ultimately, value generation. Delivering automated and managed end-to-end edge compute platforms should be a priority for software innovators and OEMs.

4. Artificial intelligence (AI)

Of course, I had to include the buzzword of 2023: Artificial Intelligence (AI) and its variants, which include generative AI. At HPE Discover Las Vegas earlier in June, HPE CEO Antonio Neri christened 2023 the “Year of AI” and announced a new HPE AI offering—HPE GreenLake for Large Language Models.

I think the runway for AI is still long, evidenced by the fact that countries are just starting to develop and pass legislation on it. Companies need to put new AI regulations on their radar and ensure that they are developing solutions and use cases that are compliant. I also think that the impact of AI will be particularly significant for the healthcare industry in the areas of drug discovery and personalized medicine.

5. Robotics

When paired with AI, robots have tremendous potential to take over mundane work tasks and automate processes. They are especially crucial in tasks that pose risks for humans, such as heavy lifting and foundry work. This is very valuable for industries that face labor shortages and/or fierce competition, such as logistics and manufacturing. Perhaps sensing this opportunity, both Tesla and leading robotics company Agility Robotics have announced plans to mass produce robots in 2024. Robotics is also a use case that can take full advantage of the advances in edge computing and IoT technology.

6. Augmented and virtual reality

The enhanced computing and visualization graphics power that is now available will only improve augmented reality (AR) and virtual reality (VR) offerings in 2024. Consequently, I am expecting more widespread adoption of these technologies across industries. And in manufacturing and healthcare, where AR and VR applications are particularly robust, they will only become more deeply integrated as the year progresses. For example, VR will be used more and more in therapy treatments, for both physical and telehealth scenarios. I love this example from HPE OEM Solutions partner BRAINLAB.

7. Hybrid by design

It’s a fact: the world is hybrid. However, most companies, especially those with legacy operating systems, find themselves in a situation that is hybrid by accident. 2024 will see companies that are hybrid by design rise to the most competitive positions. Being intentional about your mix of on-prem, private cloud, and public cloud infrastructure will ensure you obtain optimal speed and performance for your various workloads at the right cost controls.

8. Blockchain

The first blockchain was launched in 1991 as a project to timestamp digital documents. Since then, it’s been used in a variety of ways, most notably to secure cryptocurrencies. Stepping into 2024, blockchain will continue to mature and integrate itself into new use cases across sectors. The fusion of blockchain with technologies such as AI and IoT is also on the horizon. In fact, we argue that such fusion is necessary for ethical technology because information on a blockchain is fully encrypted and anonymous.

Technologies rarely act in silo, which explains why many of my trend predictions are deeply interconnected. At HPE, we believe that the future will be driven by companies that are edge-centric, cloud-enabled and data-driven. If you are looking to advance your industry solutions or digital transformation, we are here to help and look forward to celebrating your successes.

According to an IDC report released in January 2022, spending on cloud infrastructure, increased to $18.6 billion in the third quarter of 2021, citing a 6.6% year on year. The same report also notes that spending on shared cloud infrastructure reached $13 billion in the same time period. Similarly, a report from Canalys analyzing global cloud services spend, shows that during 2021, spending on cloud services increased by 34% to $53.5 billion. This is being driven by adoption across multiple vertical markets with diverse needs, alongside more workload migration and cloud-native application development driven by digital transformation requirements.

Whilst cloud adoption has grown, there is a significant skills gap which is preventing businesses from recruiting the skills they need to implement and maintain cloud environments at the necessary rate. Whilst the cloud promises many benefits, there is a degree of complexity involved in properly configuring systems, especially in multi-cloud environments. As the cloud becomes increasingly important to organizations, they need to find partners who can help them take full advantage of the benefits it offers. Failing to do so risks them lagging behind their competitors.

Keeping up with changing demand and closing the skills gap

The people that many of these organizations are turning to help them manage their new or expanded cloud environments are found in the channel. Whilst this presents a major revenue boon, it is also putting strain on partners as their teams work to keep up with the incredible demand. It is also the case that, as the market matures, some of the services that underpin cloud migration and maintenance are being commoditized. In combination, partners are seeing their profits squeezed whilst at the same time being affected by the aforementioned skills gap, placing a premium on highly skilled employees who are capable of more complex, and thus higher value, work. This is particularly crucial, as much of today’s cloud adoption is being driven by the development of vertical-specific applications which require greater configuration and integration with existing systems.

As partners look to reduce costs and alleviate the pressures on their business so that they can focus on where they add value, it is driving increased demand for the cloud services that can now be found in the market. From assessing cloud readiness to building a clear plan for cloud migration, optimization, and management, these services are enabling partners to help their customers transition applications and workloads to, from, and within public, private, and hybrid cloud environments and then optimize multi-cloud environments, providing greater IT operational efficiency through process automation.

Creating and integrating cloud environments

One of the chief benefits of leveraging cloud professional and managed services is reliability at speed. Properly configuring public cloud services and integrating multi-cloud environments can be complicated. Getting it right is also critical, as mistakes can stymie expected efficiency gains, slow down business transformation, and perhaps most crucially of all, result in cybersecurity weaknesses. Making use of a non-competing offering of white label IT professional and managed services, that is up to date and just works, means that partners can focus on adding value and delivering aspirational business outcomes for their customers. For example, in some cases partners have been able to optimise their customer’s cloud operations to such an extent that they have been able to keep their headcount the same whilst expanding their operations.

It also helps partners expand their portfolio. As partners adapt to a world in which customers are operating multi-cloud environments, it is not a given that they will have all of the skills in house to migrate to and optimize these environments. As raised above, much of this is also commoditized, so investing in developing these skills is not necessarily going to generate much of a return on investment. Through cloud professional and managed services, partners have the ability to immediately enhance their capabilities and capacity through services, resources and tools that meet their customers’ needs.

How can partners grow their business?

Having achieved reliability at speed and having expanded their portfolio, partners are then in a place to focus on growing their business. With broader and deeper vendor relationships, there is the opportunity to drive greater investment into their business to support certifications and training programs for their employees. Partners can also leverage partial or full vendor funding to drive faster adoption of these professional IT and managed services, helping them get to market even faster. Taken together, partners can quickly begin to open up higher-value customer opportunities and drive new revenue opportunities.

Ensuring long-term value

Flexibility. Adaptability. Scalability. Agility. These are attributes that end customers want for themselves, but they are also attributes partners want to see in their own organizations. At a time when many businesses are orientating themselves to a cloud-first approach, particularly in the small and medium business sector, the pressures on partners to migrate, optimize and manage cloud deployments for their customers is only going to increase. In driving their own business forward, partners should leverage IT professional and managed services that take care of commoditized tasks. As cloud requirements become more complex, not having the right people focusing on the most important tasks at hand does not just lead to higher costs or a breakdown in data availability, it also creates potentially serious security vulnerabilities. In a market where skills are hard to come by, we need everyone to focus on the biggest issues at hand.