Tag: risk management

Posted on by

UK government under-prepared for catastrophic cyber attack, hears PAC

The government is under-prepared for a catastrophic cyber attack and still dogged by legacy IT, but making progress, the Public Accounts Committee of the House of Commons has heard.

The committee, chaired by Geoffrey Clifton-Brown, Conservative MP for North Cotswolds, took testimony on 10 March from four high-ranking government IT leaders about the cyber resilience of Whitehall departments. This followed the publication, in January, of a report by the National Audit Office (NAO), which found government cyber resilience lacking, weakened by legacy IT and skills shortages, and facing mounting threats.

In its Government cyber resilience report, the public spending watchdog warned that the cyber threat to the UK government is “severe and advancing quickly”. It found that 58 critical government IT systems, assessed in 2024, had significant gaps in cyber resilience, and the government does not know how vulnerable at least 228 “legacy” IT systems are to cyber attack.

The NAO spotted that the government’s cyber assurance scheme, GovAssure, found significant gaps in cyber resilience, with multiple fundamental system controls at low levels of maturity across departments. GovAssure assesses the critical systems of government organisations. It was set up in April 2023.

The question, according to the report under review at the PAC committee session, is no longer if the government will face a damaging cyber attack, but how severe the impacts may be, as the sophistication and number of attacks continues to rise.

As the government’s operations become increasingly digitised, so too does the severity of potential impacts resulting from cyber attacks. In an effort to combat this, the government published a Cyber Security Strategy in 2022, which set out plans to make the public sector resilient to cyber attacks by 2030. The PAC chair said the committee would look at “how the government understands the severity of the cyber threat that it faces, how it can best achieve the aim of the strategy, and build the government’s resilience to cyber attacks”.

Testifying before the committee were: Cat Little, chief operating officer for the Civil Service and permanent secretary to the Cabinet Office; Vincent Devine, government chief security officer and head of the Cabinet Office’s Government Security Function; Joanna Davinson, interim government chief digital officer at the Department for Science, Innovation and Technology; and Bella Powell, cyber director of the Cabinet Office’s Government Security Group.

One matter of concern to the MPs on the committee is the lack of visibility civil servants seem to have into the very number of government IT systems, spread across departments and “arms-length bodies”, and to what extent they are “legacy” systems especially vulnerable to cyber attack.

Clive Betts, Labour MP for Sheffield South East, said: “This is quite a critical issue. This is about the threat from potential cyber attack that could be launched against a legacy system, and we don’t yet know what the systems are to begin with.”

This is quite a critical issue. This is about the threat from potential cyber attack that could be launched against a legacy system, and we don’t yet know what the systems are to begin with Clive BettsLabour MP for Sheffield South East

Davinson responded: “It’s not a simple, ‘What’s the list?’ We’ve asked that question of departments, and have had responses through our legacy risk framework. We’ve got that understanding and we are continuing to expand that out to other organisations. [But] it’s not a resource-free exercise.”

Little added: “What this part of our discussion really brings to light is that government, in a period of scarce resources, has got to make prioritised decisions based on risks and how much assurance is desired. And it’s for the government to set its risk appetite, and to use that risk appetite and information to allocate resources accordingly.

“We’ve made huge progress in understanding the most significant issues that we’ve got [in terms of legacy], and whilst it’s not every single system, it is the vast majority … [and] we’re using both GovAssure and our technical expertise in legacy IT to set out for ministers the choices about risk and how much risk they want to buy out. That is the fundamental question. If you’ve got X billion pounds available to fund people, resources, skills, to remediate legacy IT, and to invest in new technology, how you use your allocative resource has got to be risk based, and it’s got to be outcome based. The whole point of the Spending Review process is to bring outcomes and risks together so that ministers can make a funding allocation choice.”

Powell said: “We are ramping up the number of systems that we’re looking at. We are not doing that in an exponential fashion, but I think it’s also worth noting that with GovAssure, we are driving the car and building it at the same time. We launched it in April 2023 following some early pilots with departments [when] it was still at an early-stage assurance process.

“There is much more that we can and need to do, particularly in terms of automation of that process, in terms of providing stronger support and guidance to departments in implementing it, and also in the root cause analysis to better understand the data that we are gathering from that process. It is by no means a finished product, it is by no means a perfect product, but what it’s already starting to do is give us the outcomes that we need in terms of understanding resilience levels and where we can take action.”

MPs were also concerned about the extent to which the government has, as the NAO report states, under-estimated the extent of cyber risk.

Devine was candid in relation to the lateness of the introduction of GovAssure in April 2023. “We probably have woken up to the scale of cyber risk more slowly than we should have done. We were probably unrealistic in relying upon self-assessment [of government departments],” he said.

We didn’t ramp up the government response to cyber security from assurance through to response as quickly as we should have … because we [weren’t] as alive to the threats as we should have been Vincent DevineCabinet Office

“Despite recognising this in 2010, starting to invest money significantly in 2016, we didn’t ramp up the government response to cyber security from assurance through to response as quickly as we should have, in retrospect. Why? Because I don’t think we were as alive to the threats as we should have been, and probably because we hadn’t had the incidents that brought it to life for us that we and our allies have had over the last five years. It’s not a good answer, but it is the true answer,” Devine added.

To that, Little added: “It’s really difficult to go back in time to our predecessors. Like all good risk management, you manage risks as best you can until they become an issue. When they become an issue, and they’re live and they’re real, you step up your response…. We’ve always known about the risks, but it wasn’t until it became a real, live issue that the scale of what we were dealing with became clear, and it needs a different sort of response.”

The original NAO report gave, as an example of how damaging cyber attacks can be, the instance, in June 2024, of an attack on a supplier of pathology services to the NHS in south-east London, which led to two NHS foundation trusts postponing 10,152 acute outpatient appointments and 1,710 elective procedures. It also cited the British Library ransomware attack in October 2023, which has already cost £600,000 to rebuild services. The library expects to spend many times more as it continues to recover. These were mentioned in the PAC session.

The report found that the biggest risk to making the UK government resilient to cyber attack is a gaping skills gap. One in three cyber security roles in government were vacant or filled by temporary – and more expensive – staff in 2023-24, while more than half of cyber roles in several departments were vacant, and 70% of specialist security architects were staff on temporary contracts.

In the Public Accounts Committee meeting, Little said she was sad to see a continued over-reliance on contractors, but that initiatives such as a cyber security Fast Stream and a new “digital pay framework” were “starting to have an impact”.

Powell added that the overall number of digital technology professionals in the civil service has grown, and stands at nearly 6%. “It’s not as much as we’d like it to be. We are struggling with the very technical resources, and that’s a market problem – they are scarce in the private sector as well as in the public sector,” she said.

Source

Posted on by

Overcoming the cyber paradox: Shrinking budgets – growing threats

Recent years have seen a general cost-cutting in organisations caused by economic pressures. Many organisations have seen a fall in customer demand due to the cost-of-living crisis, as well as inflationary pressures affecting costs. Higher interest rates, increasing organisations’ cost of capital, are another factor.

There’s also a sense of fatigue associated with spending on cyber security. Businesses’ spending on cyber has been increasing year-on-year for a sustained period of time, and a tendency has crept in for organisations to feel that, by now, they have done the necessary investing required to protect themselves, even though the reality is that the cyber threat landscape is ever-intensifying and regulatory pressures are mounting.

Lastly, we’ve seen a ‘platformisation’ of cyber software, with the big suppliers creating cohesive, unified cyber solutions. This encourages CISOs to embrace economies of scale in their spending, allowing them to do ‘more with less’. This has led to reductions in spending on single-use-case software solutions.

All of these factors combined are contributing to a flatlining of cyber budgets over the past 12 to 18 months in many organisations.

What makes organisations feel security is a worthwhile ‘cut’?

In this area, spending is highly correlated to compliance – often more than risk appetite. Compliance drives action, and this leads to a situation where if the organisation feels compliance has been achieved, the spend begins to plateau as the sense of urgency around cyber dissipates.

Some sectors are pushing hard on compliance, for example DORA for financial services in EMEIA and NIS2 for critical infrastructure in the European Union (EU). Spending on cyber security is more robust in these sectors, commensurate with the demands of these regulatory frameworks, but in sectors where regulation is less onerous, the spend is measurably flattening.

How can CISOs and security leaders lobby to maintain their budgets?

This is where a shift in perspective is badly needed. The case needs to be made that spending on cyber is a value investment – not just a risk management cost. Organisations need to start regarding cyber as an enabling ecosystem which unlocks value in multiple ways. It can enable AI implementation right across the organisation, for one thing. It can help enable acquisitions, for another. Creating a strong platform can also differentiate the organisation in the eyes of customers. All this contributes tangible value.

This is an important shift in mindset, from a perspective that views cyber only as a cost to one that understands it as an enabling infrastructure that links directly to the value generated by the products and services it underpins.

This new perspective should enable businesses to consider that, instead of relying solely on central funding for cyber, they can allocate to cyber a share of their budgets for new initiatives – on the basis that an optimal cyber infrastructure is a necessary condition of the initiative’s success.

It’s also useful to quantify the effectiveness of cyber spend, using Cyber Risk Quantification to demonstrate the tangible link between risk reduction and spend.

How can CISOs and security leaders increase their budgets?

One of the main things cyber can enable is AI, and this is becoming the fastest-moving – and fastest-growing – change catalyst in the whole landscape. There is no doubt that AI is a cyber threat multiplier, allowing cyber criminals to become better at what they do: better malware, better phishing, and so on.

This means that the custodians of business need to become better, too. And that’s going to require ongoing investment, and an ongoing evolution of the tools and solutions we implement, to enable organisations to try and keep up with the criminals.

As cyber criminals avail themselves of AI to create more effective cyber-attacks, organisations are going to need to fight AI with AI.  It is important to look at opportunities to automate cyber defence, especially in key use cases around Threat Detection and Response, Automated Testing and User Access Rights management. 

EY’s research shows that one of the key indicators of organisations who perform best in cyber security is that they consistently adopt emerging technology – especially automation – quickly. Companies who can ingrain that technology-friendly approach are the ones that suffer the least from being attacked.

The threat outlook for 2025

The existing big threats – ransomware, phishing and supply chain attacks – will all continue, and will continue to grow in sophistication. Alongside that, we expect to see more targeting of Operational Technology (OT), as well as the Internet of Things (IoT).

It’s reasonable to expect that the fast growth of AI implementation across organisations and sectors will produce new vulnerabilities, and that as a result, more data breaches will occur as an inevitable aspect of this fast pace of change.

Finally, the other key development will be the way cyber criminals are themselves utilising and deploying AI. The intensity of malware attacks is likely to increase, as attackers weaponise GenAI. The pace of development is capable of being equally effective on both sides of the battle, which is precisely why organisations cannot afford to be complacent.

Richard Watson is global and APAC cyber security consulting lead at EY

Source