Legacy IT magnifies cyber risk for Defra, says NAO

While the Department for Environment, Food and Rural Affairs (Defra) is making progress on tackling the “urgent service risks and vulnerabilities” introduced by historic under-investment in technology, it is still failing to adequately plan for the wider digital transformation that it needs to undergo, introducing further elements of risk, according to a National Audit Office (NAO) report.

With Defra holding responsibility for multiple critical digital services such as disease prevention, flood protection and air quality, the NAO said it was especially concerned by the growing number of legacy applications used at the department, many of which rely on ageing IT infrastructure.

It said that Defra’s de-prioritisation of investment had led to a situation where 30% of its applications are now unsupported, meaning the developers are not issuing any software or security updates. It said this was compromising the resilience of important environmental services, and increasing Defra’s exposure to cyber attacks.

The NAO said Defra was not alone in facing the problems associated with elderly and creaking technology estates, but it did face one of the toughest challenges in addressing those – it is not expected to complete the work it needs to do before 2030, and its own estimates currently suggest that three-quarters of its total digital, data and technology spend is being frittered away on maintaining old technology.

“Government continues to rely on many outdated IT systems at significant cost. Defra faces a particularly challenging task in replacing its legacy applications and has begun to tackle it in a structured way,” said NAO head Gareth Davies.

“The full potential of technology in improving public services and reducing cost to the taxpayer can only be accessed if this programme and others like it across government are delivered effectively.”

The NAO’s full report did, however, acknowledge that Defra is making efforts to reduce the most pressing risks, likewise it conceded that the department had not – prior to the 2021 Spending Review – been given the necessary funding. It has now been allocated £366m from the Treasury to spend on IT through 2025, compared to just £100m to spend between 2016 and 2019.

It added that since the Spending Review, Defra has successfully established a “well-designed plan”, but said the additional funds, though helpful, were not nearly enough to reduce risk to acceptable levels or fund broader digital transformation efforts.

The NAO urged Defra to keep up the pace with its Legacy Applications Programme as it moves from the remedial, stabilisation phase and into full-blown digital transformation.

It also recommended that Defra, and other departments, do more to develop a “strategic digital vision”, paired with proper governance and management structures to help make sure digital and data considerations are “central to business transformation plans”.

Illumio head of industry solutions Raghu Nandakumara commented: “It’s concerning that a huge proportion of government systems are being left vulnerable to attack, particularly with ransomware so prevalent. But it’s also not surprising. 

“Most large organisations have a substantial amount of legacy infrastructure which is not always easy to retire or patch. But in those scenarios, it’s critical that steps are taken to minimise risk and exposure to attack. At a very minimum, this means limiting access to systems and services with known vulnerabilities and imposing a strategy of least privilege. 

“A key pillar of the government’s cyber security strategy is about mitigating cyber risk, so it’s important it practices what it preaches. Ultimately, the best way to reduce risk is through the practice of good security hygiene and a defence-in-depth approach to building cyber resilience,” said Nandakumara.