Government spending watchdog the National Audit Office (NAO) has slammed the government’s approach to cybersecurity, branding it confused and chaotic.
In a new report out today, the NAO claimed that departments are struggling to adequately balance the need to keep data secure with the need to make certain information available via new digital services.
There are too many bodies with overlapping responsibilities at the heart of government, making it difficult to know where to go for advice, it said.
“As at April 2016, at least 12 separate teams or organizations in the center of government had a role in protecting information, many of whom produce guidance,” the report added.
“While the new National Cyber Security Centre (NCSC) will bring together much of government’s cyber expertise, in the NAO’s view, wider reforms will be necessary to further enhance the protection of information.”
The government has devolved accountability for cybersecurity to departments, meaning it now has too little oversight of what progress is being made, with the Cabinet Office failing to establish itself as a departmental lead and coordinator.
Breach reporting was described by the NAO as “chaotic” – with "different mechanisms making departmental comparisons meaningless” – and there is no single set information governance standards for departments to follow.
“Protecting information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge,” argued NAO head, Amyas Morse.
“To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the center of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved.”
Michael Hack, SVP of EMEA operations at Ipswitch, argued that the forthcoming GDPR will compel government bodies to improve their data security and reporting capabilities.
“Public bodies strive to be in the headlines for setting standards and best practice, not for failing in their data security responsibilities. Many have invested already in bolstering their IT security and data sharing processes,” he added.
“Government now needs to introduce a cohesive risk management exercise that identifies the key processes and assets, and evaluates their vulnerabilities and potential threats. The results will then highlight priorities for the next stage of the process. The exercise should cover all areas of public sector and should also consider technologies and strategies to mitigate the risks identified.”
On the plus side, the NAO did claim that some departments had made “significant improvements” in information governance, and noted that “the UK government has a strong international reputation in some areas of information security and digital government.”