Resilient public services in an age of cyber threats
Part of our 'Resilient State' programme, this report makes recommendations for future cyber security policy.
The UK has been a leading nation in this policy area. The National Cyber Security Strategies, and in particular the creation of the NCSC, have represented best practice for countries around the world. Yet more needs to be done to mitigate the increasing threat.
COVID-19 has accelerated the digitisation of public services in the UK, which while positive, poses an increased cyber risk. It has also accelerated the use of remote working tools and multi-agency working, which potentially exposes the public sector to more vulnerabilities. Without sound infrastructure, investment in maintaining or updating that infrastructure, and a cyber-aware workforce, there is a threat of largescale damage both to the UK public sector and wider society.
Ideas for reform:
- The National Cyber Security Centre should conduct an audit of existing Warning Advice Reporting Points, where public sector professionals can exchange information about cyber threats, to identify the best structures and practices that could be extended nationwide. This audit should include an assessment and subsequent provision of the necessary funding to finance these local-knowledge-sharing hubs.
- The National Cyber Security Centre should increase the capacity of and mandate attendance to their current cyber security training courses to anyone working in the public sector handling sensitive information.
- Government departments should, in conjunction with the National Cyber Security Centre, identify jobs that require a certain level of training in cyber security and change the job specification to reflect that. They should then prioritise opportunities for candidates who have those qualifications or create career pathways for those willing to complete that training. This would help improve the skills gap.
- The National Cyber Security Strategy should explore the possibility of having a yearly random cyber security audit of local public sector organisations. These should be carried out by Government departments and statutory bodies in charge of cyber security policy. This will reveal adherence to standards at a local level, highlight reasons for non-compliance and improve knowledge of what works.
- The National Cyber Security Centre should work on a kitemark of cyber secure products to help with procurement of new technology.