Public sector ignoring secure by default approach

The public sector is risking security breaches by ignoring the principle of secure by default, a study has shown

The public sector is risking security breaches by ignoring the principle of making new digital systems with the government’s digital reform programme secure by default, a study has shown.

More than two-thirds of government employees feel that not enough attention is being placed on ensuring key “digital by default” platforms are also secure by default, according to a survey by security firm McAfee.

In July, the Science and Technology Committee (STC) cast doubt on the government’s digital by default strategy in an open letter to Cabinet Office minister Francis Maude.

The STC raised questions around the security of citizens' data after hearing evidence that the government does not keep up with privacy-enhancing technologies and does not update its software regularly.

More than a quarter of over 800 government employees polled believe that small to medium enterprises are vulnerable to cyber attacks due to their involvement in the supply chain for the delivery of government projects.

This figure rises to 35% amongst those working in roles which require a high level of knowledge or some knowledge of cyber-security issues

Only 14% of respondents feel G-Cloud gives adequate consideration to cyber-security, and  a mere 13% said cyber-security occupies a prominent enough position in the Universal Credit Programme.

Although 60% of civil servants said cyber security is a high or top priority within their department, 47% said that little or no knowledge of cyber security is needed in their positions.

This shows a potentially serious lack of accountability within the public sector, with more than 80% of those questioned working in central government, and likely to be handling highly-sensitive information.

The study found that the areas of most concern are data protection and security (36%), direct hacking attempts like DDoS attacks or SQL injections (17%) and attacks from foreign governments and criminal or terrorist organisations (14%). 

Just over half of respondents said an important solution to the problems caused by the lack of digital skills is to run more dedicated training courses and development programmes for specialists in this field, while 41% called for stronger specialist teams within departments. 

Anecdotal responses gathered during the survey indicate that experience outside of the public sector may bring much needed cyber security expertise to government departments, with respondents saying the skills of those who have private sector experience are not fully utilised. 

One respondent said there is no shortage of digital skills in the civil service, but the most highly skilled civil servants in this area are in the lowest grades.

Another respondent said there are many people with the necessary experience in the public service, but their skills are not being used properly.

The study found that the skills gap in the public sector may be compounded by a perceived disadvantage for those who leave the public sector to go on a secondment.

A third of respondents believe that if civil servants leave central government and re-enter, it either slightly or badly damages their career.

“Civil servants are our nation’s first line of defence, yet current government policy does not appear to be providing them with the incentives nor the training required to fully address the challenge,” said Graeme Stewart, director, UK public sector strategy at McAfee.

The results from the study, he said, are further proof that initiatives such as Digital Government Security Forum (DGSF) are needed.

The DGSF is designed to help counter specific cyber threats posed by digital service transformation by sharing best practice use cases across industry and wider public services.

“It is only with a coordinated and concerted set of efforts that UK Plc can remain safe and a place for digital business to flourish, said Stewart.

Read more on Privacy and data protection