Public sector security failings leave UK at risk, says think tank

 

The report noted a spike in cyberattacks against public sector bodies across Europe and said this should prompt fears over the “patchwork” nature of cybersecurity in the UK’s public sector.

“Hospitals running on outdated systems and minimal awareness of cyber threats, particularly among the local government workforce, is a recipe for disaster which ministers urgently need to address,” said Eleonora Harwich, report co-author and research director at Reform.

“The resilience of our public services has already been tested to an unprecedented degree since the start of the pandemic. A WannaCry-level attack now would be devastating, literally putting lives at risk.” 

Reform is concerned that what it terms “inadequacies” in public sector security, coupled with the impact of the Covid-19 pandemic, increases the likelihood of another large-scale cyber attack similar to WannaCry, which impacted 80 NHS trusts in 2017 and ended up costing the health service over £90m.

It said that although new guidelines have been set around security since WannaCry, and some improvements made, the NHS in particular still relies too heavily on outdated operating systems. From publicly available data, it inferred that the health service may have up to 150,000 systems still running Windows 7, for example.

Reform’s report also said poor resilience in local government was becoming an increasingly acute concern, again because the pandemic has forced the rapid digitisation of many public services, with hard-pressed local authorities unclear how to keep such systems up to date and secure, and many delaying the roll-out of security protocols to reduce operational costs.

It cited documents from the Department for Digital, Culture, Media and Sport (DCMS) stating that outside central government, 25% of public sector security leaders do not feel confident providing security training materials or sessions, and 27% of local public sector bodies find themselves with a basic technical skills gap.

Reform is urging the government to take account of these failings in the next iteration of the National Cyber Security Strategy, which will be published soon.

 

It called on the government to mandate National Cyber Security Centre (NCSC) Cyber Essentials training for anyone handling sensitive information in the public sector, ranging from civil servants to clinicians, teachers and council staff.

It also wants the strategy to include strict, yearly audits, conducted at random, of local public sector bodies, and a kitemark of technology judged secure for use in the public sector. 

“Our use of the internet has increased massively during the Covid-19 pandemic,” said MP Ruth Edwards, commenting on Reform’s recommendations. “Whether we are using it to stay in touch with friends and family or to shop online, the internet has provided a vital communications lifeline for many people during the lockdown. But this also leaves us more vulnerable to cyber-attacks.

“Cybercriminals are targeting individuals and companies every single day. These attacks are becoming more sophisticated and often quite difficult to spot. That is why we need to invest in training the next generation of cybersecurity practitioners.

“From coders and phishing experts to ‘white hat’ ethical hackers, we need to upskill our economy and create new jobs. Cybersecurity will be one of the most important industries worldwide in the next decade, and we can’t get left behind.”

 

At 1-fix, we take a realistic approach to technology – ensuring our client’s systems are best protected.

If you have any concerns, questions or simply want to explore how to better secure your business, please do get in touch with the team for a FREE demonstration, consultation to explore how exposed your business might be and identify actions to take.