Posted on January 14, 2022 by Tom McDonald
The start of a new year brings the opportunity to look back and reflect on the challenges we faced in dealing with COVID-19 during the last year. One of the many impacts of the pandemic we did not foresee was moving many aspects of our social and economic life online to try and keep them going through lockdowns. This came with considerable advantages, keeping many businesses, social networks and relationships going. But it also came with a significant downside, as we all became more vulnerable to the risks associated with operating online. In addition to the major attacks like WannaCry and SolarWinds, which have affected organisations in the UK and overseas, it is now increasingly likely that each of us has either personally suffered from some kind of online crime or know someone else who has.
In its latest Annual Report, government’s National Cyber Security Centre (NCSC) is clear about the nature of the risks we have faced during the pandemic, noting the startling finding that “From household goods to vaccine appointments, there have been few avenues criminals have not tried to exploit”. And the move to living more of our lives online has resulted in some shifts in criminal activity.
The major trend identified by the NCSC is the growth in criminal groups using ransomware to extort organisations of all kinds. The NCSC describes ransomware as the most immediate cyber security threat to UK businesses: this obviously makes it a threat to the resilience and performance of the economy. But it is also a risk to both central and local government and the wide range of services which they support. So, whether we are taxpayers or service users, we should be concerned at this increased use of ransomware being added to the existing list of cyber threats.
Unfortunately, the other threats on that list haven’t gone away. The March 2021 Microsoft Exchange Servers incident, in which a sophisticated attacker used zero-day vulnerabilities to compromise at least 30,000 separate organisations, highlighted the dangers posed by supply chain attacks. And there are plenty of examples in the news of other incidents, both malicious and accidental, which have put data, operations and organisational resilience at risk in both private and public sectors.
In its new National Cyber Strategy, government has set out some of the things it wants to do to make the UK more resilient to cyber-attack. Like its predecessors, the Strategy is painted on a broad canvas, setting out high-level objectives: it says that the UK should strengthen its grasp of technologies that are critical to cyber security and that it should limit its reliance on individual suppliers or technologies which are developed under regimes that do not share its values. These objectives are aimed at the structural factors behind cyber security. And in the meantime, government is developing its Active Cyber Defence programme – which seeks to reduce the risk of high-volume cyber-attacks ever reaching UK citizens – and pressing ahead with other work on skills, resilience and partnerships across different industries and sectors.
So, it seems clear that, despite the efforts of public and private sectors, the pandemic has exacerbated some of the threats we face online. But one thing that most experts agree on is that our best defence is getting the basics right. Many of the attacks which we have seen during the pandemic could have been avoided if individuals and organisations had followed recognised good practice. This includes actions like implementing formal information security regimes, avoiding unsupported software and adopting good password practices. We have specific guidance to help Audit Committees think about these sorts of issues in our updated Cyber and Information Security Good Practice Guide.
So, if you are still thinking about your New Year’s resolutions, how about refreshing your cyber security practices? That may help you avoid becoming the next victim of a cyber-attack.
About the author
Tom McDonald is the Director responsible for the NAO’s work on cyber security. Tom has worked at the NAO since 2001 and has focused his career on the defence, overseas, health and national security sectors. He has degrees in modern languages, international relations and management from Bristol University and Ashridge Business School.
Posted on January 7, 2022 by Jemma Dunne
Ambulances need to travel fast! Ambulance drivers must take risks that regular drivers do not. This includes running red lights and travelling at high speeds through busy roads. However, to avoid accidents, precautions are taken to manage risks. The driver is trained, there are flashing blue lights and loud sirens.
Delivering programmes at speed requires a similar assessment of risks. In our recent lessons learned report we show that some programmes have successfully delivered quickly but not all – just as not all vehicles can be driven like ambulances. Speed creates greater risks which will not be appropriate or sustainable for every programme or organisation.
Should the risks of speed be taken?
Programmes may need to be delivered at speed for various reasons, including in an emergency or where there is a fixed deadline. We recently reported on the Kickstart Scheme launched by the Department for Work and Pensions (DWP). In response to a significant forecast rise in youth unemployment given the COVID-19 pandemic, DWP wanted to set up support quickly. It launched Kickstart on 2 September 2020, after only around six weeks of work, in time for the expected end of furlough in October 2020. We have also seen programmes delivered at speed as government simply wants to achieve outcomes sooner. A clear rationale for speed, can make it easier to get wider support and justify taking risks. Other drivers understand an ambulance’s need for speed and often make way.
Decision-makers need to understand ‘why speed’ to assess if the risks of speed are necessary and justifiable. Risks can include cost increases, not achieving outcomes, or people being diverted into a programme at the expense of other work. Our recent report on bounce back loans highlights the impact when risks are not managed – the Scheme facilitated faster lending by removing credit and affordability checks and allowing businesses to self-certify their application documents. Prioritising speed contributed to high levels of estimated fraud.
Monitoring and managing risks in practice
Where decision-makers choose to take the risks of delivering a programme quickly, they must proactively monitor and manage these increased and different risks. In November 2021, we shared insights from our lessons learned report with the Ministry of Justice team responsible for the Probation Reform Programme and the creation of the unified Probation Service to understand how this resonated with their practical experience. In June 2021, the Lord Chancellor had written to Parliament confirming probation services had been unified.
The team told us that they consciously chose to deliver at speed and identified a clear narrative for the reforms being at pace. As such, everyone was clear on the reasons for the reforms. The team also made clear that there was zero contingency beyond the expected delivery date. Alongside setting a minimum expectation of the requirements needed for Day 1, this helped force the pace and prioritisation of effort.
The programme team also highlighted the importance of strong leadership, with a culture of accountability and responsibility, to deal with any uncertainties or issues. In particular, they spoke of a culture which encouraged people to raise any problems they’d encountered, rather than hide them or focus on the ‘good news’.
Additionally, the programme team said they had built a strong internal assurance team, comprised of former senior operations staff, to carry out site visits and desktop reviews to ensure the programme was on track.
Alongside this, the programme team outlined the advantages of a flexible programme structure. The team recognised that it was difficult to plan everything up front, and instead ensured they had the required processes and information needed to respond quickly. This was done through regional teams, with a dedicated senior manager, tasked with identifying risks as soon as possible. This meant that the central programme team could deal with ‘unknown unknowns’ effectively when they arose.
Many of the points raised by the Probation Reform Programme team align with our insights. In particular:
- Including speed as a specific programme objective to provide a clear framework for decision-making and help make trade-offs between speed, cost and outcomes.
- Building teams with the right leadership, skills and experience to make clear, timely and reliable decisions.
- Tailoring processes to add value and momentum to programme decision-making.
- Recognising the uncertainties of delivering at speed and managing these.
As speed remains important for ambulances, so it will for some programmes, particularly with commitments to achieving ‘net zero’ greenhouse gas emissions by the fixed deadline of 2050. Our report helps those deciding whether to deliver at speed ask questions to determine when or how this should be done and then continually test whether a programme will achieve its outcomes.
- Lessons learned: Delivering programmes at speed
- Employment support: The Kickstart Scheme
- The Bounce Back Loan Scheme: an update
About the authors
Josh Perks is a qualified accountant with experience of working on the NAO’s transport team. His work has included audits of the main government transport bodies and value-for-money studies of major rail programmes. Recently, he has taken an active role in the NAO’s Major Projects Delivery Hub.
Jemma Dunne is an Audit Manager and has delivered value for money reports across areas such as health and defence, including those on government programmes. She is a qualified chartered accountant (FCA) and holds the APM Project Management Qualification (PMQ).