NAO brands Whitehall’s cybersecurity approach ‘confusing and chaotic’

Cabinet Office lacks overall responsibility for IT security, says watchdog

The government's cybersecurity strategy is hamstrung by too many departments issuing conflicting policies and a lack of overall accountability, according to the National Audit Office (NAO).

The spending watchdog accused the Cabinet Office of failing to co-ordinate and lead departments' IT security efforts, and said it is undermined by a lack of data on departmental cybersecurity spending and performance.

At least 12 different Whitehall teams help protect data, and issue guidance to help others do so, the NAO said in its Protecting information across government report.

However, their varying policies make reporting data breaches "chaotic", and leave departments confused about whose advice to follow, according to the watchdog.

Advertisement - Article continues below
Advertisement - Article continues below

There were also 73 separate teams covering security in Whitehall departments, the NAO found, comprising 1,600 staff.

The report said that there was little cohesion between the management layer on top of these teams: "The governance arrangements above them are unclear and fragmented, with no formal links between the three most important information security decision-making bodies in the Cabinet Office."

With departments in charge of their own security policies, government "has little visibility of information risks in each department and has limited oversight of the progress departments are making to better protect their information", the NAO said.

By the Cabinet Office's count, the collective IT security spend of 34 departments is 300 million a year, but it acknowledged that actual costs could be "several times" higher, with departments failing to record this data.

Some departments, like the Ministry of Justice, also struggle to attract people with cybersecurity skills.

A total 8,995 data breaches were recorded by 17 government departments between 2014 and 2015, and while the NAO expects the forthcoming National Cyber Security Centre to provide a central point for some of the government's cyber skills, it called for wider reforms to streamline cybersecurity management.

Advertisement - Article continues below

"However, the scale and pace of the challenges of protecting information are such that these structural changes are unlikely to be sufficient on their own unless Cabinet Office also supports departments in addressing the wider problems set out in this report," the report read.

The NAO also criticised the government's Government Security Classifications (GSC) system, the Public Services Network (PSN) and Foxhound, saying their expected benefits have been slow to materialise.

The PSN in particular promised between 200 million and 400 million savings by 2014, but has delivered just 103.4 million of those, with no further savings expected. 

The watchdog called on the Cabinet Office to set out how it will improve cybersecurity support for departments, adding that it should streamline the roles and responsibilities of those involved in forming cybersecurity policies and guidance.

Advertisement - Article continues below

A Cabinet Office spokesman said: "The Cabinet Office conducted its own review of government security in early 2016 and many of our findings are consistent with the NAO report. So we are already well under way in strengthening oversight of information security by bringing together nine separate central teams into just two.

"We have also appointed the government's first ever Chief Security Officer to bring together all disciplines of government security under central leadership.

Advertisement - Article continues below

"The majority of the data breaches cited in this report will be very minor, but right across government we need and must do more. We will respond fully to this report in due course."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


Policy & legislation

Government announces review of IR35 off-payroll changes

8 Jan 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020