NAO warns that UK government doesn’t know how vulnerable its IT systems are
The cyber threat to the UK government is ‘severe and advancing quickly’, the National Audit Office (NAO) has found.
It said the government’s new cyber assurance scheme, GovAssure, independently assessed 58 critical departmental IT systems last year and found significant gaps in cyber resilience. Meanwhile, there are at least 228 legacy systems in use – and the government doesn’t know how vulnerable they are to a cyber attack.
“The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly, yet the government’s work to address this has been slow,” said Gareth Davies, head of the NAO.
“To avoid serious incidents, build resilience and protect the value for money of its operations, the government must catch up with the acute cyber threat it faces.”
While the then Conservative government launched a strategy for improving government organizations’ cyber security in January 2022, it’s failed to meet its aims, the NAO said. This is partly because of a shortage of skills.
In 2023-24, the NAO found, one in three cyber security roles in government was vacant or filled by temporary staff; more than half of cyber roles in several departments were vacant; and 70% of specialist security architects in post were temporary staff. Departments blame the salaries they can pay, along with civil service recruitment processes.
“For there to be 58 critical systems with significant gaps in cyber resilience and over 228 legacy IT systems unassessed should be deeply concerning to everyone. It is also shocking to see that one in three cyber security roles in government are vacant or filled by temporary staff in 2023-24,” commented Sam Peters, chief product officer at ISMS.online.
“Cumulatively the skills gap and reliance on legacy systems really underscores the broader issue of underinvestment in cybersecurity. Organizations and government must view compliance not as a cost but as an investment in resilience, trust, and business growth.”
The NAO is urging the government to develop, share, and start using a cross-government implementation plan for the Government Cyber Security Strategy within the next six months. It needs to set out how the whole government needs to operate differently, and what’s needed for this transformation to be effective.
And, the ICO has also said that within the next year, it should make and carry out plans to fill cyber skills gaps in workforces.
However, says Ian Stretton, director at Green Raven, to focus only on the high levels of vacancies and skills shortage is to miss the point.
“The broader problem is that any cybersecurity strategy – whether at national or organizational level – that relies substantially on building more, more sophisticated technological defences around assets is, ultimately, doomed to fail,” he said.
“Threat intelligence is the key – just as our security services successfully keep the country safe from terrorist acts based on sophisticated intelligence-gathering. I hope that such a discussion might be part of what the NAO means by ‘operate differently’, in its recommendation that ‘the whole of government needs to operate differently… so that it can achieve its goals for cybersecurity and resilience’.
Source link
