|
Getting your Trinity Audio player ready...
|
New research from cybersecurity specialist Trend Micro will provide worrying reading for the government and GCHQ’s National Cyber Security Centre (NCSC) – the UK’s cyber guardian.
Trend Micro surveyed 250 IT public sector leaders with cyber security responsibilities, and found fundamental weaknesses in UK public sector cyber defences, as 64 percent of IT leaders said they don’t have a concrete view of what best practice looks like, because there are too many governing bodies and procedures to follow.
It comes after the NCSC had in December warned that the cyber risk to the UK is “widely underestimated, and it’s new head Richard Horne issued a rallying call for collective action against an increasingly complex array of online threats.
Cyber worries
Last September the NCSC and nine international allies had given details of cyber-attack campaigns by a unit of Russia’s military intelligence service (GRU) that was targetting organisations to collect information for espionage purposes.
Now the Trend Micro research has found confusion about best practices for public sector cyber defences, and 31 percent have admitted their cyber defences are weakened by unclear internal policies.
Even more concerning, 24 percent of respondents to Trend Micro said they are concerned this lack of best practice could directly lead to a cyber incident or data breach.
This comes despite a number cyber initiatives existing in the UK, they can apparently fall short of the expectations and needs of IT leaders.
Two-thirds (68 percent) have warned that current Government policies still don’t go far enough in setting minimum security standards for delivering public services or their suppliers.
Half of respondents also call out that the G-Cloud Framework “isn’t fit for purpose” in helping them choose vendors with robust cyber credentials.
The CAF: A promising initiative
The good news is that the Trend Micro research found that public sector IT leaders are optimistic about the emergence of the new Cyber Assessment Framework in driving best practice and plugging some of the current weaknesses.
Indeed, an overwhelming 80 percent see it as a critical vehicle for ensuring resilience, such as by benchmarking cyber risk and helping them work with the right partners.
The research found found 38 percent are racing to meet these standards within the next two years, but there are hurdles in the way that may make the journey harder.
Half of IT leaders told Trend Micro they are too focused on managing immediate cyber threats to develop a comprehensive strategic cyber plan (49 percent), while 48 percent lack the funds to invest in essential security awareness and training procedures needed to build a cyber-resilient workforce.
Board recognition
Perhaps most troubling is the revelation that cybersecurity still hasn’t earned its place at the top table.
More than half (52 percent) of respondents report their boards still treat cybersecurity as a mere “tick-box exercise” rather than a business-critical operational concern.
In response, 39 percent of IT decision-makers are calling for cybersecurity to be recognised as a business-critical risk with corresponding funding allocation.
“Recent cyber-attacks have exposed the vulnerability of our public services – from compromised streetlight systems in local councils to ransomware attacks on NHS suppliers resulting in stolen patient data and potential clinical harm to patients,” noted Jonathan Lee, UK Cybersecurity Director at Trend Micro.
“The Synnovis ransomware attack, which led to thousands of cancelled and delayed blood tests, is a stark reminder that cyber incidents aren’t just about data, they have real-world, life-altering consequences,” said Lee. “When 68 percent of UK IT leaders tell us Government policies fall short and over half report cybersecurity is treated as a tick-box exercise, we’re looking at a systemic problem that demands urgent attention.”
Last year the former and founding head of the National Cyber Security Centre (NCSC), Ciaran Martin, had warned that the UK was not taking seriously enough a US notification that China is targeting key infrastructure.
Martin said at the time that disruption of civilian infrastructure should be a red line, and warned that Chinese hackers are following Russian examples and are pre-positioning themselves into critical infrastructure ahead of launching a possible attack.
