Public sector security failings leave UK at risk, says think tank

The pandemic-driven surge in remote working since March is exacerbating pre-existing vulnerabilities and highlighting the parlous state of cyber security in the UK’s public sector, according to a new report compiled for think tank Reform – which advocates the reform of public services – alongside IT services provider DXC Technologies.

The report noted a spike in cyber attacks against public sector bodies across Europe and said this should prompt fears over the “patchwork” nature of cyber security in the UK’s public sector.

“Hospitals running on outdated systems and minimal awareness of cyber threats, particularly among the local government workforce, is a recipe for disaster which ministers urgently need to address,” said Eleonora Harwich, report co-author and research director at Reform.

“The resilience of our public services has already been tested to an unprecedented degree since the start of the pandemic. A WannaCry-level attack now would be devastating, literally putting lives at risk.” 

Reform is concerned that what it terms “inadequacies” in public sector security, coupled with the impact of the Covid-19 pandemic, increases the likelihood of another large-scale cyber attack similar to WannaCry, which impacted 80 NHS trusts in 2017 and ended up costing the health service over £90m.

It said that although new guidelines have been set around security since WannaCry, and some improvements made, the NHS in particular still relies too heavily on outdated operating systems. From publicly available data, it inferred that the health service may have up to 150,000 systems still running Windows 7, for example.

Reform’s report also said poor resilience in local government was becoming an increasingly acute concern, again because the pandemic has forced the rapid digitisation of many public services, with hard-pressed local authorities unclear how to keep such systems up to date and secure, and many delaying the roll-out of security protocols to reduce operational costs.

It cited documents from the Department for Digital, Culture, Media and Sport (DCMS) stating that outside central government, 25% of public sector security leaders do not feel confident providing security training materials or sessions, and 27% of local public sector bodies find themselves with a basic technical skills gap.

Reform is urging the government to take account of these failings in the next iteration of the National Cyber Security Strategy, which will be published soon.

It called on the government to mandate National Cyber Security Centre (NCSC) Cyber Essentials training for anyone handling sensitive information in the public sector, ranging from civil servants to clinicians, teachers and council staff.

It also wants the strategy to include strict, yearly audits, conducted at random, of local public sector bodies, and a kitemark of technology judged secure for use in the public sector. 

“Our use of the internet has increased massively during the Covid-19 pandemic,” said MP Ruth Edwards, commenting on Reform’s recommendations. “Whether we are using it to stay in touch with friends and family or to shop online, the internet has provided a vital communications lifeline for many people during lockdown. But this also leaves us more vulnerable to cyber attacks.

“Cyber criminals are targeting individuals and companies every single day. These attacks are becoming more sophisticated and often quite difficult to spot. That is why we need to invest in training the next generation of cyber security practitioners.

“From coders and phishing experts to ‘white hat’ ethical hackers, we need to upskill our economy and create new jobs. Cyber security will be one of the most important industries worldwide in the next decade, and we can’t get left behind.”