NAO report slates the Cabinet Office's cyber security efforts

Poor communications, no consistent central governance and little assessment of performance, watchdog finds

The UK government's approach to IT security has been roundly criticised by spending watchdog the National Audit Office (NAO).

In a report entitled Protecting Information Across Government the NAO paints a picture of a fragmentary approach to IT security across government bodies.

"None of the departments we interviewed understood the specific roles of the various bodies involved, making it difficult to identify any single arbiter of standards or guidance," the report notes, adding that there are "too many bodies with overlapping responsibilities operate in the centre of government, confusing departments about where to go for advice."

The situation has been made worse by the increasing encroachment of central government diktat on departments and institutions that traditionally looked after their own security, with the blurring of boundaries causing confusion over where the responsibility for security lies.

There is also a general lack of sharing of information between departments and the Cabinet Office fails to collect and analyse data on the government's performance in protecting information, the NAO says, meaning that it has "little visibility of information risks in departments and has limited oversight of the progress departments are making to better protect their information."

Worse still: "The Cabinet Office does not provide a single set of governance standards for departments to follow, and does not collate or act upon identified weaknesses."

While it notes that measures are being taken to improve the situation, for example by the creation of the National Cyber Security Centre (NCSC), which will pull together much of the government's cyber security expertise, it says that wider reforms are necessary.

"The Cabinet Office is taking action to improve its support for departments, but needs to set out how this will be delivered in practice," the report concludes.

"To reach a point where it is clearly and effectively coordinating activity across government, the Cabinet Office must further streamline the roles and responsibilities of the organisations involved, deliver its own centrally managed projects cost-effectively and clearly communicate how its various policy, principles and guidance documents can be of most use to departments."

Responding to the findings of the NOA report, a Cabinet Office Spokesperson told the BBC: "The Cabinet Office conducted its own review of government security in early 2016 and many of our findings are consistent with the NAO report. So we are already well under way in strengthening oversight of information security by bringing together nine separate central teams into just two."

The spokesperson added: "We have also appointed the government's first ever Chief Security Officer to bring together all disciplines of government security under central leadership."

"The Cabinet Office needs to mandate that all employees involved in public sector data security have a unified breach reporting process to ensure organisations are responding and communicating security incidents in a holistic way," said Fred Svedman, public sector lead at Unisys.

"Medium to long term planning must be focused around implementing effective training methods for employees and the development of a unified industry standard across governmental departments, in relation to security protocols and procedures."

In the short term a technical solution might be more manageable, according to Stuart Facey, international vice president at access management solutions provider Bomgar.

"Integrate technology solutions that can offer an audit trail of where each user of the network has been and what they have done. This will allow the Cabinet Office to pinpoint where the vulnerabilities may be and how they occurred," Facey said.

In a previous report in 2014 the NAO noted that the government was struggling to demonstrate a clear link between the large number of individual projects being delivered as part of the National Cyber Security Programme. It would appear that not much has changed since then.