NAO urges Cabinet Office to coordinate Whitehall data security efforts
The government is failing to properly address data protection, with almost 9,000 breaches recorded in 2014-15, a report from the National Audit Office has said.
Cabinet Office needs to coordinate data protection across Whitehall - Photo credit: Fotolia
The report published today, said that the Cabinet Office needed to make it much easier for departments to carry out the “critical” task of protecting their information from unauthorised access or loss.
The NAO said that the Cabinet Office "has not yet established a clear role for itself in coordinating and leading departments’ efforts to protect their information".
It added that efforts to track performance are being hindered by patchy data and too many bodies with "overlapping responsibilities".
A further issue raised in the report is a lack of clarity on the money spent on security. The NAO said that the Cabinet Office had collected data on the annual spend on security in 34 departments that suggested it was £300m – but that it also believed the actual costs are “several times” that figure.
The NAO said that the 17 biggest government departments recorded 8,995 data breaches in 2014-15. In addition, the UK government’s security arm GCHQ dealt with an average of 200 cyber-related national security incidents a month in 2015 – twice as many as in 2014.
The watchdog said that there were “at least” 12 separate teams in the centre of government with a role in safeguarding information, with the governance arrangements above them "unclear and fragmented", and "no formal links" between the main players.
The NAO said that while the new National Cyber Security Centre – which launches next month to take the lead on shielding government networks from cyber-attack – will help pool "much of government’s cyber expertise", a more wide-ranging shake-up is needed "to further enhance the protection of information".
"The NCSC should streamline central government processes for dealing with information incidents in cyberspace," the report said.
"However, the scale and pace of the challenges of protecting information are such that these structural changes are unlikely to be sufficient on their own unless Cabinet Office also supports departments in addressing the wider problems set out in this report. "
It added: "The NCSC is designed to work with government and the private sector: whether it has the capacity to do so effectively remains to be seen."
Among its findings, the NAO said that departments have tended to treat information governance as a lower-order priority, and noted out that the Cabinet Office "does not provide a single set of governance standards for departments to follow, and does not collate or act upon identified weaknesses".
"Only a few departments set security standards through their supply chain," it added.
Meanwhile, the report said the Cabinet Office does not have access to "robust expenditure and benefits data" from departments that would allow the centre of government to take "informed strategic decisions on protecting information".
And the watchdog said that, despite the creation of a dedicated civil service security profession in 2013, it remains "difficult for government to attract people with the right skills "to take on key cyber security roles.
That finding echoes comments made this week by a recruiter for the Ministry of Justice, who said people with cyber security skills "still don’t think working for government is cool".
Departments were, the recruiter said in GOV.UK blogpost, still working to shake off the perception that government tech jobs meant working against "a massive legacy monolithic monster" and "trying to troubleshoot memory issues in a some mid-90s middleware".
The NAO said demand for such skills across government was "growing and is likely to continue to grow".
"Plans to cluster security teams may initially share scarce skills but will not solve the long-term challenge, and will pose questions for departmental accountability," the watchdog's report added.
Launching the NAO's latest findings, the audit office's head Amyas Morse said: “Protecting information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge.
"To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved.”
Consultation launched seeking feedback on risks and mitigations for systems that now underpin a wide range of ‘essential services’
Online notice reveals controversial trials are to be expanded into a national service – about which government, law enforcement, watchdogs and all the UK’s major ISPs declined to answer questions...
Regulator finds that collection of online images was not fair, transparent or lawful
Specialist firm sought to help identify areas where security could be bolstered