Part one: The challenge
Governance and trust are simple words with significant implications in the real and digital world. If governance and trust are not established, the consequences can be dire. Here’s an example of such consequences: Highland Council left nearly 600 ex-employee accounts provisioned and operational, resulting in a salary overpayment of almost £800,000. An oversight, probably by overworked admin staff, led to this situation. This is not a one-off. Similar cases involve Leeds and Renfrewshire Councils overpaying employees who leave or change circumstances. If security works correctly, an ex-employee equals an ex-account. Verifiable trust in employee ID is the key to building a new perimeter, but the devil is in the details. Government employees need trust to authorise tasks, but ensuring the right level of trust and governing that trust as situations evolve is where things become challenging.
SailPoint understands this balance all too well. This two-part series will explore the challenges and solutions in balancing identity security for local and central government.
The size of the challenge in governing identity security
Writing on a page that you need to enable verified trust as a security perimeter is easy. But the fluid nature of government employment makes this complex. For example, the civil service has an astonishing churn and burn rate. Data from Whitehall Monitor 2024 shows that almost 12 percent of civil servants either changed departments or left the government workforce in 2022-2023. Added to this is a growing workforce. In September 2023, there were almost half a million (496,150) civil servants, an increase of 29 percent since 2016. The fluid movement of joiners, movers, and leavers puts enormous strain on IT teams and any underlying legacy identity security.[MC4]
The Joiner, Mover, Leaver problem
A fluid and growing workforce translates to challenges in people and access governance. Two of the most pressing of these challenges are:
Productivity issues – onboarding and provisioning
A short story exemplifies this challenge: A new senior council employee was promised hybrid work options and access to innovative collaboration tools. Usually, the new starter onboarding process takes four weeks. However, the council had a significant staff churn rate. Consequently, best practices and fast onboarding were circumvented; the council was forced to copy similar grade profiles, rather than grant access on a tailored per-user basis. Unfortunately, for this new starter, access to shared systems was not extended to project stream access – vital to performing their job. The new access request would take a further ten days to authorise. The result was that this essential staff member’s productivity was delayed, and any expectations of innovative collaboration were quashed.
But more than just productivity, poorly provisioned authorised access and identity security leads to financial costs. Take our senior council employee. This senior staff member was a strategic director with an annual salary of over £170,000. The lost productivity costs over the ten days wait time for this employee alone, is equivalent to over £7,000. If delays on identity and access provisioning occurred for every new employee, or those moving positions, the costs would soon add up.
Median salary = £31,920
There were 56,760 entrants to the Civil Service in 2022/23
If we work out costs from a ten day delay across the civil service, this equates to:
Ten days salary @median
If you liked this content…
Cybersecurity start-up investment defies COVID-19 downturn
Study: Brexit won’t work unless we have, er… migrants
NHS pursues net zero goal with digital tracker for employees
The Future of Identity: Balancing Inclusivity, Security, and Privacy
Think Digital Identity and Cybersecurity for Government conference moves to June 11th
£122.7692 (per day) * 10 = £1,227.69
Costs for new entrants to civil service in 2022/2023
Potential costs for lost productivity
(£1,277.69 * 56,760) = £72,521,684
Poor implementation of authorised access has a knock-on effect, even impacting citizens. Poorly governed access to essential data causes delays and bottlenecks in citizen-staff interactions, leading to increased enquiry costs and dissatisfied citizens.
Security issues: offboarding and de-provisioning
Onboarding delays and productivity are challenging, but security is another significant burden. The government is a target for cyber attackers. A 2023 Blackberry report shows that cyberattacks on government agencies are up by 40 percent. The attack type speaks volumes to modern cyber threats’ human-centric nature. Over half of all cyberattacks targeting local and central government agencies involve account compromise. Poorly provisioned accounts leave security gaps that cybercriminals leverage.
Unauthorised access puts everyone at risk, including citizens. A cyberattack on the UK Electoral Commission exposed the data of over 40 million voters. The hackers remained undetected in the network for over a year, exploiting unauthorised access to the network servers.
Making transformation happen
Verifiable trust drives security in an ecosystem of people, apps, and data. In government, this ecosystem is at any point in time, in flux. Ensuring the access and authorisation of a fluid workforce is a challenge. However, the consequences of getting this challenge wrong are dire.
The solution is for identity to form the new perimeter, but the implementation of this elastic perimeter is critical. The next generation of identity security revolves around unification. Solutions that provide identity security must be integrated, comprehensive solutions that unify people, devices, and data. As SailPoint’s CEO, Mark McClain, explains, a unified approach to identity security should be “One that is simple to use and operate, yet robust enough for the complexities of the enterprise.”
In part two of this mini-series, SailPoint will explore this next-generation of identity security solutions and how they resolve Government workforce challenges.
