Left column

Middlecolumn

Digital

    Taking on the challenge of public sector cyber security

  • Posted on March 8, 2022 by

    The government recently published its new Cyber Security Strategy specifically aimed at building a cyber resilient public sector. Resilience is key in underpinning its vision to make the UK a cyber power in a world increasingly shaped by technologies that offer many benefits but also pose risks. The strategy reiterates that government remains an attractive target for a broad range of malicious actors with 40% of incidents 2020-21 affecting the public sector. 

    The main benefits highlighted are the need to protect key UK assets and the uninterrupted continuation of vital services. The strategy also aims to enable the development of skills and capability in cyber awareness and risk management.   

    This has been a major theme in our work, we recently published our good practice guide, aimed at Audit Committees, on cyber and information security where we set out the type of risk and capability management in relation to cyber security we would expect to see in organisations. 

    In order to harden government to cyber-attack and build the required resilience in the public sector by 2030, the Cyber Security strategy has two main pillars and five objectives:  

    Pillar 1Build organisational cyber resilience Pillar 2 – ‘Defend as one’
    Objective 1

    Manage cyber security risk
    Objective 2

    Protect against cyber attack
    Objective 3

    Detect cyber security events
    Objective 4

    Minimise the impact of cyber security incidents
    Objective 5 – Develop the right cyber security skills, knowledge, and culture

    Each objective has a range of outcomes to be achieved in two stages, the first tranche by 2025, and the next by 2030. The government plans to invest £2.6 bn in cyber and legacy IT over the spending review 2021 period and will devise a number of key performance indicators to measure progress. 

    The strategy is ambitious and welcomed given the increasing threat environment the UK government is facing. In order to succeed, it will need to overcome a range of challenges that we have come across in our work on digital and cyber security. From our point of view, two of the key ones are: 

    • The public sector will need to overcome known legacy and data issues in a situation where IT assets are not always catalogued or risk assessed; and where data quality varies with expanding and interconnecting supplier systems that increase the likelihood of vulnerabilities. 
    • Cyber risk management with effective escalation and mitigation, in and across departments, will need to be established – whilst also aligning disparate central and arms-length bodies across government to focus on the right things, in the right way at the right time. 

    Our Cyber and information security: Good practice guide addresses these and a number of other challenges. It enables Audit Committees to ask the right questions of organisations to help them start aligning themselves to the new Cyber Security Strategy.  

    About the author

    Daniel Lambauer joined the NAO in 2009 as a performance measurement expert and helped to establish our local government value for money (performance audit) team. He is the Executive Director with responsibility for Strategy and Resources. As part of his portfolio, he oversees our international work at executive and Board level and has represented the NAO internationally at a range of international congresses. He is also the NAO’s Chief Information Officer and Senior Information Responsible Owner (SIRO). Before joining the NAO, Daniel worked in a range of sectors in several countries, including academia, management consultancy and the civil service.

  • Pillar 1Build organisational cyber resilience Pillar 2 – ‘Defend as one’
    Objective 1

    Manage cyber security risk
    Objective 2

    Protect against cyber attack
    Objective 3

    Detect cyber security events
    Objective 4

    Minimise the impact of cyber security incidents
    Objective 5 – Develop the right cyber security skills, knowledge, and culture

    Each objective has a range of outcomes to be achieved in two stages, the first tranche by 2025, and the next by 2030. The government plans to invest £2.6 bn in cyber and legacy IT over the spending review 2021 period and will devise a number of key performance indicators to measure progress. 

    The strategy is ambitious and welcomed given the increasing threat environment the UK government is facing. In order to succeed, it will need to overcome a range of challenges that we have come across in our work on digital and cyber security. From our point of view, two of the key ones are: 

    • The public sector will need to overcome known legacy and data issues in a situation where IT assets are not always catalogued or risk assessed; and where data quality varies with expanding and interconnecting supplier systems that increase the likelihood of vulnerabilities. 
    • Cyber risk management with effective escalation and mitigation, in and across departments, will need to be established – whilst also aligning disparate central and arms-length bodies across government to focus on the right things, in the right way at the right time. 

    Our Cyber and information security: Good practice guide addresses these and a number of other challenges. It enables Audit Committees to ask the right questions of organisations to help them start aligning themselves to the new Cyber Security Strategy.  

    About the author

    Daniel Lambauer joined the NAO in 2009 as a performance measurement expert and helped to establish our local government value for money (performance audit) team. He is the Executive Director with responsibility for Strategy and Resources. As part of his portfolio, he oversees our international work at executive and Board level and has represented the NAO internationally at a range of international congresses. He is also the NAO’s Chief Information Officer and Senior Information Responsible Owner (SIRO). Before joining the NAO, Daniel worked in a range of sectors in several countries, including academia, management consultancy and the civil service.

    -->

    Cyber security: has the pandemic changed anything?

  • Posted on January 14, 2022 by

    The start of a new year brings the opportunity to look back and reflect on the challenges we faced in dealing with COVID-19 during the last year. One of the many impacts of the pandemic we did not foresee was moving many aspects of our social and economic life online to try and keep them going through lockdowns. This came with considerable advantages, keeping many businesses, social networks and relationships going. But it also came with a significant downside, as we all became more vulnerable to the risks associated with operating online. In addition to the major attacks like WannaCry and SolarWinds, which have affected organisations in the UK and overseas, it is now increasingly likely that each of us has either personally suffered from some kind of online crime or know someone else who has.

    In its latest Annual Report, government’s National Cyber Security Centre (NCSC) is clear about the nature of the risks we have faced during the pandemic, noting the startling finding that “From household goods to vaccine appointments, there have been few avenues criminals have not tried to exploit”. And the move to living more of our lives online has resulted in some shifts in criminal activity.

    The major trend identified by the NCSC is the growth in criminal groups using ransomware to extort organisations of all kinds. The NCSC describes ransomware as the most immediate cyber security threat to UK businesses: this obviously makes it a threat to the resilience and performance of the economy. But it is also a risk to both central and local government and the wide range of services which they support. So, whether we are taxpayers or service users, we should be concerned at this increased use of ransomware being added to the existing list of cyber threats.

    Unfortunately, the other threats on that list haven’t gone away. The March 2021 Microsoft Exchange Servers incident, in which a sophisticated attacker used zero-day vulnerabilities to compromise at least 30,000 separate organisations, highlighted the dangers posed by supply chain attacks. And there are plenty of examples in the news of other incidents, both malicious and accidental, which have put data, operations and organisational resilience at risk in both private and public sectors.

    In its new National Cyber Strategy, government has set out some of the things it wants to do to make the UK more resilient to cyber-attack. Like its predecessors, the Strategy is painted on a broad canvas, setting out high-level objectives: it says that the UK should strengthen its grasp of technologies that are critical to cyber security and that it should limit its reliance on individual suppliers or technologies which are developed under regimes that do not share its values. These objectives are aimed at the structural factors behind cyber security. And in the meantime, government is developing its Active Cyber Defence programme – which seeks to reduce the risk of high-volume cyber-attacks ever reaching UK citizens – and pressing ahead with other work on skills, resilience and partnerships across different industries and sectors.

    So, it seems clear that, despite the efforts of public and private sectors, the pandemic has exacerbated some of the threats we face online. But one thing that most experts agree on is that our best defence is getting the basics right. Many of the attacks which we have seen during the pandemic could have been avoided if individuals and organisations had followed recognised good practice. This includes actions like implementing formal information security regimes, avoiding unsupported software and adopting good password practices. We have specific guidance to help Audit Committees think about these sorts of issues in our updated Cyber and Information Security Good Practice Guide.

    So, if you are still thinking about your New Year’s resolutions, how about refreshing your cyber security practices? That may help you avoid becoming the next victim of a cyber-attack.

    Tom McDonaldAbout the author

    Tom McDonald is the Director responsible for the NAO’s work on cyber security. Tom has worked at the NAO since 2001 and has focused his career on the defence, overseas, health and national security sectors. He has degrees in modern languages, international relations and management from Bristol University and Ashridge Business School.

  • Six reasons why digital transformation is still a problem for government

  • Posted on August 4, 2021 by

    It’s revealing to look at the timeline of digital transformation initiatives over the last 25 years. Government’s ambition for ‘world class’ services using joined-up systems and data goes back to the mid 1990s, from where we can trace a steady stream of policies and initiatives right through to last autumn’s National Data Strategy. Most of these cover similar ground, which shows how hard genuine transformation is.

    Repeated cycles of vision for radical digital change have been accompanied by perhaps an overly simplistic view of the ease of implementation. Government is not a greenfield site where brand new systems can be created at will. New ways of doing business and services need to fit into a government landscape still dominated by legacy systems and data. As a result, well-intentioned initiatives have petered out, falling short of achieving their intended outcomes.

    It’s important not to see this report as just another commentary on project and programme management failures. In business transformation initiatives with significant digital elements, the intangible nature and use of novel technology introduces many more ‘unknown unknowns’. Contrast this with infrastructure projects, where people can visualise the end product within the laws of physics. This allows a clearer sense from the outset of what is realistically feasible.

    Digital leaders bring experience and understand the challenges well. But they often struggle to get the attention, understanding and support they need from other senior decision-makers. This is borne out by a recent government review into Organising for digital delivery which identified a significant challenge of low technical fluency across the civil service leadership generally. This contrasts with the commercial world where technology is increasingly seen as a critical delivery lever and senior leaders are expected to have a clear understanding of how to deploy it effectively.

    Six reasons why

    We wanted to shine a light on the systemic issues that need to be tackled before a programme even gets underway, using our past reports as illustrations. When implementing digital business change programmes here are six things to get right at the outset.

    1. Understand your aims, ambition and risk by:
    • Avoiding unrealistic ambition with unknown levels of risks
    • Ensuring the business problem is fully understood before implementing a solution
    • Planning realistic timescales for delivery, which are appropriate to the scope and risk of the programme.
    1. Engage with commercial partners through:
    • Spending enough time and money exploring requirements with commercial partners at an early stage
    • Adopting a more flexible contracting process that recognises scope and requirements may change
    • Working towards a partnership model based on collaboration with commercial suppliers.
    1. Develop a better approach to legacy systems and data through:
    • Better planning for replacing legacy systems and ensure these plans are appropriately funded
    • Recognising the move to the cloud will not solve all the challenges of legacy
    • Addressing data issues in a planned and incremental way, to reduce the need for costly manual exercises.
    1. Use the right mix of capacity, make sure you:
    • Are clear about what skills government wants to develop and retain, and what skills are more efficient to contract out
    • Better align political announcements, policy design and programme teams’ ability to deliver through closer working between policy, operational and technical colleagues.
    1. Consider the choice of delivery method through:
    • Recognising that agile methods are not appropriate for all programmes and teams
    • When using agile methods ensure strong governance, effective coordination of activities and robust progress reporting are in place.
    1. Develop effective funding mechanisms by:
    • Ensuring that requirements for both capital and resource funding are understood and can be provided for.
    • Seeing technology as part of a service that involves people, processes and systems in order to better consider the economic case for investment.

    We recognise that addressing the challenges around digital business change programmes is difficult but using these six lessons will support practical improvements. If you want to find out more, our report The challenges in implementing digital change looks into why large scale government programmes repeatedly run into difficulties.


    About the author: 

    Yvonne Gallagher

    Yvonne Gallagher

    Yvonne is our digital transformation expert, focused on assessing the value for money of the implementation of digital change programmes. Yvonne has over 25 years’ experience in IT, business change, digital services and cyber and information assurance, including as CIO in two government departments and senior roles in private sector organisations, including the Prudential and Network Rail.

    Tagged with:

  • Better data means better services – so how can government get there?

  • Posted on April 29, 2021 by

    The shielding programme was a swift government wide response to identify and protect clinically extremely vulnerable (CEV) people against COVID-19.

    Our recent report on Protecting and supporting the clinically extremely vulnerable during lockdown, shows how government quickly recognised the need to provide food, medicines and basic care to those CEV people shielding. This had to be pulled together rapidly as there were no detailed contingency plans.

    But there was a problem.  In order to do this, government was faced with the urgent task of identifying the people who needed support based on existing, disparate data sources.

    Difficulties in extracting and combining data

    The urgency of this exercise was recognised by all involved, but difficulties in extracting, matching and validating data from across many different systems meant that it took time for people to be identified as CEV.

    At the start of the pandemic, there was no mechanism to allow a fast ‘sweep’ across all patients to identify, in real time, those who fell within a defined clinical category.

    It was a major challenge to identify and communicate with 1.3 million people by extracting usable data from a myriad of different NHS and GP IT systems all holding data differently.

    This lack of joined-up data systems meant NHS Digital had to undertake the task of accessing and extracting GP patient data, stored in different ways in each practice and holding specific details about people’s medical conditions to merge with their own databases. It took a huge effort by the team to complete this task in three weeks.

    Data issues were not resolved by the time of the second lockdown

    Government had identified systems were not capable of ‘speaking’ to each other across hospital, primary care, specialist and adult social care services following the first iteration of shielding (March – August 2020), and sought to apply them to the second lockdown towards the end of 2020. However, our report highlighted resolving the data issues was not an area where significant progress had been or could be made.

    This reflects the wider issues of data across government

    These challenges are examples of broader issues that we have previously highlighted in our report on Challenges in using data across government. People often talk about better use of data as if this is a simple undertaking. But there are significant blockers and constraints that require sustained effort to overcome, which apply to all areas of government trying to use and share data other than for the single purpose it was originally created for.

    The basic issues are widely known and acknowledged:

    • Huge variability in the quality and format of data across government organisations
    • Lack of standardisation within departmental families and across organisational boundaries making it difficult for systems to interoperate
    • The extent of legacy IT systems across government further compounding the difficulties
    • Ownership and accountability aren’t easily agreed where a shared dataset of personal data is brought together and has equal value to different services.

    It’s unclear to us how calls to establish and enforce data standards are going to work in practice if existing systems can’t be modified to support them and there is no firm timetable, road map or funding commitment for replacing them.

    In our report Digital transformation in the NHS, we reported that 22% of trusts did not consider that their digital records were reliable, based on a self-assessment undertaken in 2017. The average replacement cycle for a patient records system is something in the region of once every 15 years so this change isn’t going to happen overnight.

    Our aim is to support government in tackling these issues, and not to be critical of past failings, because we recognise that it is hard. We set out a number of recommendations in our data report and they are summarised in our accompanying data blog.

    Some are aimed at the centre of government and others are steps that individual organisations can take. Our cross-government recommendations were primarily around accountabilities, governance, funding and developing rules and common ways of doing things.

    Our recommendations for individual organisations are:

    • Put in place governance for data, including improving the executive team’s understanding of the issues associated with the underlying data and the benefits of improving that data
    • Set out data requirements in business cases. This should include an assessment of the current state of the data, and the improvements or new data that are necessary. These assessments should have an explicit consideration of ethics and safe use
    • Implement guidance for front-line staff for handling data, including standardisation, data ethics and quality.

    Organisations that hold a cohesive view of their citizen/patient data must address this issue in a managed and incremental way, rather than having to resort to one-off costly exercises which have to be repeated when the next need arises. This will require sustained effort and perseverance.

    Unfortunately, there are no easy shortcuts, but with a will to put in the necessary effort progress can be made one step at a time.


    Yvonne Gallagher

    Yvonne Gallagher

    Yvonne is our digital transformation expert, focused on assessing the value for money of the implementation of digital change programmes. Yvonne has over 25 years’ experience in IT, business change, digital services and cyber and information assurance, including as CIO in two government departments and senior roles in private sector organisations, including the Prudential and Network Rail.

    Tagged with:   

  • Utilising technology when working from home

  • Posted on April 16, 2020 by

    person working from home office

    COVID-19 is affecting us all. The way we live, work and socialise has changed dramatically. The National Audit Office is no different, our staff are working from home and we will also have an important role to play in reporting on the government’s response to COVID-19. You can find more information on our emerging plans here. In the meantime, we’re resharing some of our knowledge on how organisations can make a success of working remotely at this time.

    Technology is a great enabler for working from home, but there are pitfalls to avoid. In September 2017, we issued a guide to cyber security for audit committees and now is an appropriate time to revisit some of the key points.

    The National Cyber Security Centre (NCSC) and the Crown Commercial Service (CCS) have also recently produced guidance on how people can buy and use the appropriate tools to work from home safely.

    Policies and procedures

    The most important point to note is that your organisation’s information security policies and procedures still apply – they exist for good reason. Security shouldn’t be sacrificed, even during difficult and uncertain times.

    If your organisation doesn’t have a homeworking policy, now could be an opportunity to think about what it might look like. But don’t be forced into a knee-jerk reaction because of the current situation; take the time to get the approach right and build it into your longer-term business continuity arrangements.

    Using personally owned IT

    If your organisation routinely provides laptops to staff which are securely configured and set up for remote access, then you’re in a good place. If not, Bring Your Own Device (BYOD) is a possibility, but inevitably this approach brings risks that need to be considered. The main risks are around unauthorised access and data loss.

    A popular BYOD approach for smartphones and tablets running Android or iOS is the ‘managed container application’. This means all corporate data is accessed via one or more designated apps (for example, Microsoft Office). This allows strong controls to protect and isolate corporate data from the user’s personal apps and prevents copying and pasting of data across the container boundary.

    Use of personal PCs is a more difficult area. Technology such as remote desktops minimises the risk of data loss as the apps and data stay on the remote server. Most IT departments will be familiar with remote desktops, and the main barrier to their more widespread use is having the necessary infrastructure to support the volume of users required.

    Allowing users to access work data through a web browser over an internet connection from their own PC might seem an attractive option, particularly with more services becoming available in the ‘cloud‘. However, NCSC are clear that this is a risky approach.

    They advise that it’s difficult to gain confidence in the security or configuration of the PC, and there are limited technical controls you can enforce to reliably prevent data loss or access from insecure or out-of-date devices. And, from a legal perspective, responsibility for protecting data and complying with GDPR and the Data Protection Act 2018 rests with the data controller, not the device owner. You may also have commercial arrangements that restrict running of business software on or accessing business data from personally owned devices.

    Collaborative working

    There are many established software tools for videoconferencing and collaborative working. Common apps include Microsoft Teams, Skype for Business, Google Hangouts, Cisco WebEx, GoToMeeting and Zoom. Do bear in mind that these should be securely configured, their privacy policies and settings reviewed, and used appropriately in relation to the sensitivity of the meeting content being discussed.

    Where you are meeting with a third party, it would be wise to set agreed expectations around call recording and screen sharing and request explicit permission before capturing any information discussed during the meeting, for example screenshots.

    Home environment

    There are also considerations relating to the home working environment itself. Devices outside an office environment are more vulnerable to theft or loss. This can be mitigated by physical security measures and by encryption – but do check that each device is turned on and set up correctly.

    Also consider your policy around printing from home and whether it’s necessary. Information in physical form needs to be protected in the same way as information in electronic form. Forwarding information from work to personal email accounts for printing is a big confidentiality risk, so where there is a legitimate need to print, you will need to make suitable arrangements.

    In shared accommodation, you should also be aware of who might be able to overlook your screen or overhear your teleconferences. There are reports that some organisations are advising people to turn off smart speakers and voice assistants during working hours when sensitive matters are being discussed.

    Preventing unauthorised access to devices is another obvious but essential consideration – NCSC has recently issued guidance on good password policy, including practical suggestions for reducing password overload for end users.

    Phishing scams

    Be aware of phishing scams, whether by email or text message. This advice applies generally, and some security companies have reported seeing a large increase in phishing attacks as a result of the current pandemic. NCSC has good advice on spotting suspicious emails.

    It’s important to promote and maintain a strong security-minded culture, even when your people are trying to collaborate and work flexibly.

    Obtaining IT equipment and services

    The Crown Commercial Service (CCS) has published information on a number of agreements that can enable the public sector and related organisations to quickly and easily procure technology products and services to allow employees to work more flexibly.

    CCS also note that a number of providers of collaboration software are offering introductory or extended trials of their products. These include Microsoft (Office365), Google (G Suite, Hangouts Meet) and Cisco (WebEx, Duo, Umbrella, AnyConnect).

    And finally

    The current situation is putting unprecedented pressure on individuals and organisations alike but try not to lose sight of the security basics. If you’re struggling to get a fully-fledged remote working strategy in place I’d recommend focusing on the fundamentals. Find the right approach for your organisation and gradually build it into your longer-term business continuity arrangements.

    We’re all having to adapt to these new ways of working, but don’t worry there’s plenty of support out there to help you protect your corporate and customer data.

    Tagged with:

  • Right data, right place, right time

  • Posted on July 16, 2019 by

    Image of woman with laptop and data flying out

    Have you ever had the frustration of having to provide the same information about yourself to different government services? Have you ever had to make decisions without information about what does and doesn’t work? Data is fundamental to delivering public services, improving systems and processes, and supporting sound decisions – but accessing accurate data is far from easy. Drawing from our recent report, Challenges in using data across government, I highlight here some of the difficulties, their implications and ways they can be addressed.

    more… Right data, right place, right time

    Tagged with:                               

  • Cloud services: asking the right questions

  • Posted on June 27, 2019 by

    Image of cloud computing

    ‘Cloud services’ can bring cost and performance benefits. But they can also bring new challenges and risks. To help leaders oversee decision-making and implementation of cloud services, we recently published ‘Guidance for audit committees on cloud services’. The magazine, Public Sector Executive, invited us to outline the issues in the article The National Audit Office’s guide to cloud services and has kindly allowed us to reproduce it on this Blog.

    more… Cloud services: asking the right questions

    Tagged with:                     

Right column

  • About the NAO blog

    Our experts share their views about issues and common challenges facing government, what public sector leaders should look out for and how organisations have addressed issues. Our posts draw together threads from across our reports, share secrets spilled in events and reveal our experts’ expectations for the future.

    We encourage comments that support the exchange of ideas for improvement, but ask that those posting are respectful of others.

  • Sign up for automatic feeds

    Sign up to receive email alerts:




    RSS IconSubscribe in an RSS Reader