Maksim Kabakou - Fotolia
The government must provide public sector organisations with clear guidance on protecting data, but needs better information on departmental security costs, performance and risks to do so, according to the National Audit Office (NAO).
The NAO report also found that the UK government has a strong international reputation in some areas of information security and digital government.
Amyas Morse, head of the NAO, said protecting information while re-designing public services and introducing the technology necessary to support is complex and the government needs to change how it addresses this.
“To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved,” said Morse.
The report said complexity was the result of challenges such as keeping information safe while making it available to other public sector organisations, private companies and citizens.
Read more about information security in government
- Information security professionals are split over whether cloud suppliers should co-operate with governments by providing access to encrypted data, a survey has revealed.
- The government has outlined what the National Cyber Security Centre (NCSC) will do, how it will work and who it will work for.
- The government was warned as long as four years ago that its plans for a nationwide roll-out of smart meters represented a “potentially significant” security and privacy threat.
The report said too many bodies with overlapping responsibilities operated in the centre of government, confusing departments about where to go for advice. It said at least 12 separate teams had a role in protecting information, with many producing their own guidance.
“While the new National Cyber Security Centre will bring together much of government’s cyber expertise, in the NAO’s view, wider reforms will be necessary to further enhance the protection of information,” said the report.
According to the NAO, the government does not routinely analyse its overall performance in protecting information because security is the responsibility of individual departments. “This means government has little visibility of information risks in each department and has limited oversight of the progress departments are making to better protect their information.”
Reporting personal data breaches in government is “chaotic”, said the NAO with different mechanisms “making departmental comparisons meaningless”.
Information about security spending in government is also hard to measure, and although it reported a figure of £300m it thinks the actual costs are several times higher.
While there have been improvements, the NAO said: “The Cabinet Office does not currently provide a single set of standards for departments to follow, and does not collate or act upon those weaknesses it identifies.”
On information security skills in government the NAO said people with the training needed were scarce, and while plans to cluster security teams might work in the short term it would not solve the long-term challenge.