Government is hit by 9,000 security breaches a year - but reporting them remains chaotic

UK central government departments suffered 8,995 data breaches in just one year, but the infrastructure isn't in place to properly report them.


Whitehall doesn't have a coherent approach to its own cybersecurity, warns the NAO

Image: iStock

UK government departments suffered almost 9,000 data breaches in a single year, but they don't have a coherent enough cybersecurity procedure in place to record or manage such incidents, the National Audit Office (NAO) has warned in a newly published report filled with stinging criticism of government cybersecurity policy.

The Protecting Information Across Government report examines the effectiveness of the government's strategic approach to protecting information across central government departments -- and it doesn't make pleasant reading for anyone in Whitehall.

The report notes that the Cabinet Office "has not yet established a clear role for itself in coordinating and leading departments' efforts to protect their information".

If the government department responsible for cybersecurity hasn't got a grip on it, it's hard to believe any other in Whitehall is performing the role effectively.

In total, 8,995 data breaches were recorded by the 17 largest government departments in 2014-2015, but the infrastructure isn't in place in order to properly report them. "Reporting personal data breaches is chaotic, with different mechanisms making departmental comparisons meaningless," says the report, especially given how departments only collected "limited information" on their overall security costs, performance, and risks.

The problem is made worse because increasing dependencies between government and the private sector mean "traditional security boundaries have become blurred" and overlapping responsibilities have confused departments about where to go for advice on security policy. There are 12 separate teams or organisations in central government that have a role in protecting information and it seems many government staff don't know which they're supposed to report to.

While the National Audit Office notes that the new National Cyber Security Centre will go some way to bringing all of the government cybersecurity expertise into one place, a new approach and wider reforms will be "necessary to further enhance the protection of information".

"Protecting information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge. To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved, "says Amyas Morse, head of the National Audit Office.

Perhaps unsurprisingly, there are those in the cybersecurity sector who've condemned the government's 'shocking' approach to information security.

"The fact government departments have suffered almost 9,000 data breaches in a single year really highlights the lack of proper security procedures in place. The government needs to acknowledge that its attitude to cyber security is fundamentally flawed," says John Madelin, CEO at RelianceACSN.

"The only way to shore up defences is by getting the basics right, from implementing the correct procedures, managing critical assets through a proactive and integrated approach. Until they've got the basics right we'll continue to see breaches happening on a daily basis," he adds.

According to Fred Svedman, public sector lead at Unisys, the best way to fix the problem is simply with one designated breach reporting system which works across Whitehall.

"The Cabinet Office needs to mandate that all employees involved in public sector data security have a unified breach reporting process to ensure organisations are responding and communicating security incidents in a holistic way. This will speed up reaction ability to combat times, improve confidence in the government's cybercrime and improve transparency for stakeholders," he says.

"This is really the starting point for the governments journey and medium to long term planning must be focused around implementing effective training methods for employees and the development of a unified industry standard across governmental departments, in relation to security protocols and procedures."