Findings released by Trend Micro, a global cybersecurity leader, exposes fundamental weaknesses in UK public sector cyber defences as 64% of IT leaders say they don’t have a concrete view of what best practice looks because there are too many governing bodies and procedures to follow.
The research, which surveyed 250 IT public sector leaders with cyber security responsibilities, finds that consequently, 31% admit their cyber defences are weakened by unclear internal policies, while 24% say they’re concerned this lack of best practice could directly lead to a cyber incident or data breach.
Despite several cyber initiatives existing in the UK such as, they fall short of the expectations and needs of IT leaders. Two-thirds (68%) warn that current Government policies still don’t go far enough in setting minimum security standards for delivering public services or their suppliers. Half also call out that the G-Cloud Framework “isn’t fit for purpose” in helping them choose vendors with robust cyber credentials.
The CAF: A promising initiative, only if the Board prioritises cyber
IT leaders are optimistic about the emergence of the new Cyber Assessment Framework in driving best practice and plugging some of the current weaknesses. An overwhelming 80% see it as a critical vehicle for ensuring resilience, such as by benchmarking cyber risk and helping them work with the right partners.
However, although 38% are racing to meet these standards within the next two years, there are hurdles in the way that may make the journey harder. Half of IT leaders say they are too focused on managing immediate cyber threats to develop a comprehensive strategic cyber plan (49%), while 48% lack the funds to invest in essential security awareness and training procedures needed to build a cyber-resilient workforce.
Perhaps most troubling is the revelation that cybersecurity still hasn’t earned its place at the top table. More than half (52%) of respondents report their boards still treat cybersecurity as a mere "tick-box exercise" rather than a business-critical operational concern. In response, 39% of IT decision-makers are calling for cybersecurity to be recognised as a business-critical risk with corresponding funding allocation.
Jonathan Lee, UK Cybersecurity Director, Trend Micro comments: "Recent cyber-attacks have exposed the vulnerability of our public services – from compromised streetlight systems in local councils to ransomware attacks on NHS suppliers resulting in stolen patient data and potential clinical harm to patients. The Synnovis ransomware attack, which led to thousands of cancelled and delayed blood tests, is a stark reminder that cyber incidents aren’t just about data, they have real-world, life-altering consequences. When 68% of UK IT leaders tell us Government policies fall short and over half report cybersecurity is treated as a tick-box exercise, we're looking at a systemic problem that demands urgent attention."
