A new survey points to weaknesses in the UK public sector’s cyber defences, with 64 percent of IT leaders saying they don’t have a concrete view of what best practice looks because there are too many governing bodies and procedures to follow.
The research from Trend Micro surveyed 250 IT public sector leaders with cybersecurity responsibilities. It found that 31 percent admit their cyber defences are weakened by unclear internal policies, while 24 percent say they’re concerned this lack of best practice could directly lead to a cyber incident or data breach.
Despite several cyber initiatives existing in the UK, they fall short of the expectations and needs of IT leaders, according to respondents. Two-thirds (68 percent) warn that current Government policies still don’t go far enough in setting minimum security standards for delivering public services or their suppliers. Half also call out that the G-Cloud Framework “isn’t fit for purpose” in helping them choose vendors with robust cyber credentials.
The CAF: A promising initiative, only if the Board prioritises cyber
IT leaders are optimistic about the emergence of the new Cyber Assessment Framework in driving best practice and plugging some of the current weaknesses. An overwhelming 80 percent see it as a critical vehicle for ensuring resilience, such as by benchmarking cyber risk and helping them work with the right partners.
However, although 38 percent are racing to meet these standards within the next two years, there are hurdles in the way that may make the journey harder. Half of IT leaders say they are too focused on managing immediate cyber threats to develop a comprehensive strategic cyber plan (49 percent), while 48 percent lack the funds to invest in essential security awareness and training procedures needed to build a cyber-resilient workforce.
Moreover, the survey suggests that cybersecurity still hasn’t earned its place at the top table. More than half (52 percent) of respondents report their boards still treat cybersecurity as a mere ‘tick-box exercise’ rather than a business-critical operational concern. In response, 39 percent of IT decision-makers are calling for cybersecurity to be recognised as a business-critical risk with corresponding funding allocation.
“Recent cyberattacks have exposed the vulnerability of our public services – from compromised streetlight systems in local councils to ransomware attacks on NHS suppliers resulting in stolen patient data and potential clinical harm to patients. The Synnovis ransomware attack, which led to thousands of cancelled and delayed blood tests, is a stark reminder that cyber incidents aren’t just about data, they have real-world, life-altering consequences,” said Jonathan Lee, UK cybersecurity director, Trend Micro.
“When 68 percent of UK IT leaders tell us Government policies fall short and over half report cybersecurity is treated as a tick-box exercise, we’re looking at a systemic problem that demands urgent attention.”
