Sunday May 24, 2026
Sunday May 24, 2026
Friday, 8 May 2026 02:40 - - {{hitsCtrl.values.hits}}
High-profile incidents affecting state financial systems and public institutions have shown how cyberattacks can erode public trust, raise concerns about governance and institutional capacity, and damage Sri Lanka’s international reputation at a time when investor confidence is particularly important
The recent cyber incident involving Sri Lanka’s Treasury offers a timely moment to reflect on how cybersecurity is approached within Government institutions. While investigations are ongoing and facts continue to emerge, the episode offers something more valuable than outrage or blame. It brings into focus the need to pay closer attention to cybersecurity frameworks and to give greater priority to information governance in public institutions. Around the world, Governments have learned, often the hard way, that cybersecurity is not a purely technical problem that can be delegated to a single department or individual. It is a shared responsibility that needs to be embedded in human behaviour, institutional culture, and governance and decision-making systems. This article sheds light on cybersecurity threats faced by public institutions globally, the academic and institutional research on this challenge, and the international best practices to mitigate these growing vulnerabilities.
What is cybersecurity, and why are governments prime targets?
Cybersecurity, in its broadest definition, is the practice of protecting digital systems, networks, communications, and data from unauthorised access, manipulation, theft, or disruption. Government institutions have become increasingly attractive targets within the cybercriminal ecosystem because of the nature of their activities. They manage, among other things, vast financial flows, maintain sensitive citizen data, operate critical infrastructure, and handle national defence mechanisms. In developing countries like Sri Lanka, these operations are often conducted through communication channels that have not kept pace with the sophistication of those who seek to exploit them. They operate complex systems built up over decades, frequently combining modern digital platforms with legacy technology that is difficult to replace overnight. Attackers target public institutions not because they are uniquely careless, but because they bring together high-value information, procedural complexity, and human decision-making at scale. When the integrity and security of Government institutions’ procedures and systems are compromised, the consequences are serious. This can adversely affect the continuity of essential services, public confidence in institutions, and, increasingly, as the Sri Lanka case demonstrates, the reliability of sovereign financial obligations.
According to the World Economic Forum’s Global Cybersecurity Outlook 2025, 72 percent of organisations reported an increase in cybersecurity risks, with the public sector disproportionately affected. Thirty eight percent of public sector respondents reported insufficient cyber resilience, compared to just ten percent of medium-to-large private sector organisations. A common pattern visible across these incidents is that they do not rely on cutting-edge malware or dramatic acts of cyber sabotage. Instead, cybercriminals targeting public institutions often succeed by exploiting trust: trust in familiar email addresses, established workflows, and routine procedures that, over time, become easy to overlook. The following discussion identifies the most common cybersecurity threats faced by Government institutions.
Business email compromise: The quiet threat behind big losses
Business Email Compromise (BEC) is not limited to businesses; Government institutions are frequent targets as well. In these attacks, criminals impersonate trusted officials or gain access to genuine email accounts, then use that access to request urgent payments, alter bank details, or extract sensitive information. Research shows that attackers study their targets carefully, examining organisational hierarchies, payment processes, and existing business relationships. They then either gain access to legitimate email accounts or create convincing imitations, intercepting or initiating communications at precisely the moment a large financial transaction is being processed. In this way, cybercriminals can send instructions that appear authentic because they have been deliberately designed to do so. What makes BEC particularly dangerous is that it often bypasses technical controls. There may be no malicious attachments, suspicious links, or obvious warning signs.
Analysis by IBM and the UK’s National Cyber Security Centre identifies BEC as a top-tier risk due to its reliance on targeted deception rather than technical vulnerabilities. FBI Internet Crime Complaint Center data shows that business email compromise (BEC) has caused more than USD 5 billion in reported losses globally in 2021 and 2022 alone. In 2019, a local Government in Florida lost nearly USD 700,000 after officials received emails that appeared to come from a trusted construction contractor. The emails contained modified payment instructions that went unnoticed until the funds had already been transferred.
Phishing and social engineering: Attacks that target people, not systems
Closely related to BEC is phishing and social engineering more broadly. A phishing email is a form of cyberattack that uses deceptive messages, often disguised as communications from trusted institutions, to persuade recipients to click malicious links, download malware, or reveal sensitive information such as login credentials or financial data. These attacks rely on psychological triggers such as urgency, authority, fear, or helpfulness. Social engineering refers more broadly to the manipulation of individuals to obtain information needed to compromise systems. Attackers may pose as senior officials, IT support staff, or foreign partners, using carefully timed messages to prompt quick responses. Government institutions can be particularly vulnerable to these attacks due to their reliance on outdated IT systems and funding constraints that limit advanced cybersecurity deployment and staff training.
In 2020, the United Kingdom’s National Health Service reported a surge in phishing attempts during the COVID-19 pandemic, many tailored to exploit the pressure on healthcare workers. Some emails offered urgent updates on protective equipment or new clinical guidelines; others impersonated senior NHS managers. While most attacks were detected, the episode showed how crisis conditions can amplify cyber risk.
To reduce these risks, governments are advised to adopt a multi-layered approach that combines technical controls, such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), secure email gateways, and multi-factor authentication, with continuous staff awareness training and clear incident reporting mechanisms, rather than relying solely on individual vigilance.
In a digital economy where trust is central, the resilience and security of government systems are not merely technical concerns, but strategic economic priorities linked to national credibility, investment flows, and long-term growth
Ransomware and service disruption: when systems grind to a halt
Another major category of cyber risk for public institutions is ransomware, which is malicious software that encrypts systems and demands payment for restoration. Unlike email-based fraud, ransomware often causes visible and immediate disruption. Research indicates that in many cases, ransomware incidents are preceded by phishing or credential compromise, allowing attackers to move laterally across poorly segmented networks. Ransomware actors also deliberately target public bodies because reputational risks and statutory obligations increase the impact of service outages or data breaches.
In 2017, the WannaCry ransomware attack paralysed parts of the UK’s National Health Service, cancelling thousands of appointments and delaying critical care. In 2018, the city of Atlanta spent over USD 17 million to recover from a ransomware attack that disrupted court systems, utility billing, and police operations. International best practice points to a layered resilience approach: regular offline and immutable backups, timely patching and system updates, multi-factor authentication, network segmentation, continuous monitoring, and well-rehearsed incident response and recovery plans. Clear policies discouraging ransom payments and encouraging early reporting to national cyber authorities are also key measures in mitigating ransomware risks.
Insider risks and accidental disclosures
Not all cyber incidents involve malicious outsiders. A significant proportion of breaches in Government arise from accidental disclosures: emails sent to the wrong recipient, documents uploaded to unsecured platforms, or confidential attachments shared without appropriate safeguards. Research by Carnegie Mellon University’s CERT Insider Threat Center, and policy guidance from the UK’s National Cyber Security Centre, indicate that public institutions are exposed to these risks given their large workforces, complex access privileges, and extensive data-sharing across departments and external partners, all of which increase the likelihood of human error or misuse going undetected.
The UK Information Commissioner’s Office has repeatedly reported that many public sector data breaches stem from simple human error rather than deliberate wrongdoing. A mistyped email address or an overlooked attachment can expose sensitive personal data affecting hundreds or thousands of individuals. Although such incidents are not malicious, their consequences can still be significant, ranging from identity theft to a loss of trust in public institutions.
International best practice emphasises a “least-privilege” access model, continuous monitoring and audit trails, staff training on data handling, and clear accountability structures, ensuring that both technical safeguards and organisational culture work together to minimise insider-driven risks. Email classification is another practical measure that can help prevent accidental errors. Where controls are built into email systems to prevent employees from sharing sensitive information externally without proper classification, there is an additional opportunity for verification. Importantly, these risks cannot be addressed through punishment or fear alone; they require supportive systems, clear guidance, and realistic workloads.
Supply chains and third-party risk
Supply chain and third-party cyber risk refers to vulnerabilities that arise when Government institutions rely on external vendors, contractors, software providers, or service partners whose systems, products, or personnel have direct or indirect access to Government networks, data, or operations. While outsourcing brings efficiency, it also introduces additional risks. These risks are often compounded by limited visibility into subcontractors, long-term procurement arrangements, and national security concerns, particularly where adversaries may deliberately target suppliers to gain indirect access to sensitive systems.
The 2020 SolarWinds incident in the United States illustrated this type of risk clearly. By compromising a widely used software update, attackers gained access to multiple Government departments. Although not all affected agencies suffered direct harm, the incident showed how a single weak point can have far-reaching consequences. To mitigate supply chain risks, Governments are encouraged to embed security requirements into procurement processes, carry out proportionate due diligence and ongoing monitoring of suppliers, limit third-party access on a least-privilege basis, and align with established supply chain risk management frameworks.
Human factor: The weakest link in the chain
As Kevin Mitnick, often referred to as the “World’s Most Famous Hacker,” famously observed, “the weakest link in the security chain is the human element.” Academic and industry literature on cybersecurity points to a consistent finding: the majority of successful cyberattacks bypass technical defences by targeting people. IBM’s 2025 Cost of a Data Breach Report, based on analysis of thousands of incidents globally, identifies human related factors as among the leading contributors to data breaches, with the global average cost of a breach now standing at USD 4.4 million. This highlights that technical controls alone are not sufficient without organisational readiness to manage cybersecurity risks.
Sri Lanka’s own evidence also suggests that the human and organisational dimension remains underdeveloped. A national survey of public officials conducted in 2021 by the Sri Lanka Computer Emergency Readiness Team (SLCERT) found that policy awareness was at a very low level, that many organisations had not implemented core information security policies, and that only a small proportion of ICT officers possessed basic security knowledge across areas such as asset classification, disaster recovery, incident management, network, and application security. The report warns that these weaknesses increase risk for public organisations and make digital Government ambitions vulnerable if capability does not improve.
Although AI can support automated cybersecurity measures, human oversight will still be required to strike the right balance between systemic solutions and sound judgement. Establishing a verification culture through well-structured training programmes that encourage staff to pause and question even when a request appears routine or urgent is therefore important. In the United Kingdom civil service, mandatory cybersecurity awareness training is required for all staff, with additional role-specific modules for those handling financial transactions or sensitive data. The training is refreshed regularly and updated to reflect emerging threats such as BEC.
In Singapore, public officers undergo compulsory digital security training that includes simulated phishing exercises. Staff who fall for test emails receive targeted follow-up training. The European Union has also encouraged member states to integrate cybersecurity awareness into public sector professional development, recognising that attackers adapt quickly and that training must evolve accordingly.
Mandatory training reinforces that cybersecurity is everyone’s responsibility. In many developed jurisdictions, all staff members, regardless of role or seniority, are required to complete annual cybersecurity training. When these programmes are delivered online through internal systems, they can be implemented without significant additional cost. Training also normalises caution and reinforces the idea that questioning an unusual request is part of professional conduct. It also helps reduce stigma. When staff understand that cyber incidents are common globally and often highly sophisticated, they are more likely to report suspicious activity early. Silence and fear, by contrast, allow small issues to escalate when reporting is delayed. It is also important to establish clear protocols for reporting data losses and breaches in a prompt and secure manner. Building awareness of internal systems and controls supports the development of a more effective cybersecurity culture within organisations. One of the key lessons from international experience is that cybersecurity works best when understood as part of governance. While technical teams can design secure systems, only organisational leadership can ensure they are used responsibly.
International best practice on training programmes indicates that sessions incorporating simulated attacks, practical detection exercises, and clear procedural guidance help strengthen employees’ ability to recognise subtle indicators of fraud, question unusual requests, and follow secure communication protocols. Training needs to be continuous and embedded within organisational culture, supported by clear policies and accountability frameworks, as a sustainable response to evolving cybersecurity risks. In this sense, effective employee training can gradually shift the workforce from being a point of vulnerability to becoming a line of defence, complementing technical controls and improving institutional resilience. When cybersecurity is treated as a shared responsibility within good governance, it tends to strengthen accountability across all levels of an organisation. This, in turn, helps reduce harm and supports public trust. As Governments move further towards digital economies, cyber threats will continue to evolve. Making consistent investments in both technology and people will allow public institutions to respond more effectively to these risks. A cyber incident response plan should also be regularly tested and aligned with business continuity, crisis communication, and legal notification processes.
In the end, cybersecurity is about more than systems and code. It comes down to decisions made by people, supported by institutions that understand the realities of a connected world. That is a lesson worth taking seriously, not just in moments of crisis, but as part of everyday governance. International authorities such as the FBI warn public officials to be cautious about the nature of private and personal information they share online or on social media. In a digital environment, maintaining privacy can itself be a security measure. For example, information such as pet names, schools attended, or links to family members can give cybercriminals what they need to guess passwords and answer security questions. In a press release issued by SLCERT on 1 January 2026, the general public was urged to remain vigilant, avoid sharing personal or financial information online, verify suspicious messages and links, and enable strong security measures such as two-factor authentication and secure passwords, given the heightened level of cyber threats. In many international financial authorities, employees are not allowed to forward emails between personal and work accounts, nor access personal email through official devices. Similarly, there are restrictions on taking photographs within these organisations. While such controls may seem strict, they provide practical safeguards against cyber and related security risks.
The need to bridge the execution gap
Key policy strategies and frameworks underpinning cybersecurity measures and digital transformation are already in place in Sri Lanka. A 2023 circular from the Ministry of Technology made the Information and Cyber Security Policy mandatory across Government bodies, required the appointment of security officers and annual audits, and placed advisory responsibility on Sri Lanka CERT. It would be useful to assess the progress made under this circular in strengthening cybersecurity across Government institutions. The circular also requires the National Audit Office, with the support of Sri Lanka CERT, to audit the progress of policy adoption by Government organisations on an annual basis.
The Government has also launched the National Cyber Security Operations Centre (NCSOC), which began monitoring 37 critical institutions in 2025 and is expected to extend connectivity across other critical state institutions. At the time of its establishment, it was recognised that cyber resilience is directly linked to national security and economic stability. Sri Lanka has placed digital transformation at the centre of its economic recovery and long-term growth strategy, formally adopting the National Digital Economy Strategy 2030 and the Digital Economy Blueprint to position the country as a digitally enabled, innovation-driven, and investment-friendly economy. These initiatives envisage expanded digital public infrastructure, connected Government services, digital financial systems, and increased private sector participation as key drivers of competitiveness, exports, and foreign direct investment. However, cybersecurity breaches involving Government institutions pose a clear risk to these ambitions.
High-profile incidents affecting state financial systems and public institutions have shown how cyberattacks can erode public trust, raise concerns about governance and institutional capacity, and damage Sri Lanka’s international reputation at a time when investor confidence is particularly important. Research and regional experience consistently indicate that poorly managed or widely publicised cyber breaches in the public sector can discourage foreign investment, increase perceptions of country risk, and weaken Sri Lanka’s position as a secure destination for digital services, fintech, and technology-enabled supply chains. In a digital economy where trust is central, the resilience and security of Government systems are not merely technical concerns, but strategic economic priorities linked to national credibility, investment flows, and long-term growth. The absence of robust cybersecurity frameworks can also reduce citizens’ confidence in online public services, making them less willing to use digital identity systems, e-Government platforms, or digital payments. For a country seeking to position digitalisation as a pillar of economic recovery and investment promotion, cybersecurity is therefore not just a technical issue; it is a reputational, institutional, and economic priority.
“Cybersecurity isn’t about avoiding risk — it’s about managing it intelligently. The future belongs to leaders who make cyber resilience a competitive advantage.”
— Adam Fletcher, CISO, Blackstone.
(The author is an Attorney-at-Law. Views expressed in this article are entirely personal and do not represent the views of any organisation or institution with which the author is associated)
Key sources:
