NAO brands Whitehall’s cybersecurity approach ‘confusing and chaotic’

Cabinet Office lacks overall responsibility for IT security, says watchdog

The government's cybersecurity strategy is hamstrung by too many departments issuing conflicting policies and a lack of overall accountability, according to the National Audit Office (NAO).

The spending watchdog accused the Cabinet Office of failing to co-ordinate and lead departments' IT security efforts, and said it is undermined by a lack of data on departmental cybersecurity spending and performance.

At least 12 different Whitehall teams help protect data, and issue guidance to help others do so, the NAO said in its Protecting information across government report.

However, their varying policies make reporting data breaches "chaotic", and leave departments confused about whose advice to follow, according to the watchdog.

Advertisement - Article continues below

There were also 73 separate teams covering security in Whitehall departments, the NAO found, comprising 1,600 staff.

The report said that there was little cohesion between the management layer on top of these teams: "The governance arrangements above them are unclear and fragmented, with no formal links between the three most important information security decision-making bodies in the Cabinet Office."

With departments in charge of their own security policies, government "has little visibility of information risks in each department and has limited oversight of the progress departments are making to better protect their information", the NAO said.

By the Cabinet Office's count, the collective IT security spend of 34 departments is 300 million a year, but it acknowledged that actual costs could be "several times" higher, with departments failing to record this data.

Some departments, like the Ministry of Justice, also struggle to attract people with cybersecurity skills.

A total 8,995 data breaches were recorded by 17 government departments between 2014 and 2015, and while the NAO expects the forthcoming National Cyber Security Centre to provide a central point for some of the government's cyber skills, it called for wider reforms to streamline cybersecurity management.

"However, the scale and pace of the challenges of protecting information are such that these structural changes are unlikely to be sufficient on their own unless Cabinet Office also supports departments in addressing the wider problems set out in this report," the report read.

The NAO also criticised the government's Government Security Classifications (GSC) system, the Public Services Network (PSN) and Foxhound, saying their expected benefits have been slow to materialise.

The PSN in particular promised between 200 million and 400 million savings by 2014, but has delivered just 103.4 million of those, with no further savings expected. 

The watchdog called on the Cabinet Office to set out how it will improve cybersecurity support for departments, adding that it should streamline the roles and responsibilities of those involved in forming cybersecurity policies and guidance.

Advertisement - Article continues below

A Cabinet Office spokesman said: "The Cabinet Office conducted its own review of government security in early 2016 and many of our findings are consistent with the NAO report. So we are already well under way in strengthening oversight of information security by bringing together nine separate central teams into just two.

"We have also appointed the government's first ever Chief Security Officer to bring together all disciplines of government security under central leadership.

"The majority of the data breaches cited in this report will be very minor, but right across government we need and must do more. We will respond fully to this report in due course."

Featured Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now



Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Policy & legislation

IT contractor wins £240k IR35 appeal against HMRC

5 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

4 Nov 2019
Domain Name System (DNS)

Microsoft embraces DNS over HTTPS to secure the web

19 Nov 2019
Business strategy

The pros and cons of net neutrality

4 Nov 2019
social media

Can Wikipedia founder's social network really challenge Facebook?

19 Nov 2019