Jos Creese, Past President of BCS and a leading authority on cyber planning, explains why more funds need to be allocated to protect the UK’s digital infrastructure - as increasingly complex systems could make essential services vulnerable to cyber-attack.

Today, cyber risk management is a boardroom topic; nowhere more critical than for public bodies holding considerable amounts of personal data, and where many services are critical to people’s lives. Data breaches and systems compromised by human error or malicious cyber-attacks, can have devastating consequences, far beyond just a pure financial impact.

Public services today depend on digital delivery that spans most critical functions, serving whole communities. The task of protecting systems, digital infrastructure and data in general (e.g. GDPR compliance) is growing in scale and complexity, especially with demands for increased data sharing to support integrated services, such as health, social care and crime prevention.

We all benefit from new digital tools and methods that make our public services more joined-up, accessible and efficient: the downside is that cyber threats cannot be ignored. Public service leaders need to find new ways of assessing and managing risk as part of wider corporate risk control.

Technology innovation is also driving up the priority of ‘cyber’ in areas such as automation and self-service, transactions linked to AI engines, use of IoT sensors, cloud-based models, and complex IT processing supply chains. The task of cyber protection is a significant challenge, requiring sophisticated business and technology understanding and response.

Civic risk, not just corporate risk

If that is not enough of a challenge for public service organisations, there is another dimension: safeguarding community infrastructure. When Wannacry struck in 2017, it demonstrated the rapid community-wide impact that a major cyber incident can have across multiple services, agencies and communities in an area.

A power failure used to be inconvenient to the public, but today, with the dependence on digital communications and services, it is potentially catastrophic. The same is true for any corruption or loss of data held in business critical, public-facing systems. This combination of vulnerability and consequent civic impact makes public services a growing target for criminals, since major disruption creates opportunity for secondary crime, as well as publicity for extremist causes.

Cyber resilience planning, therefore, has to form part of wider emergency planning and business continuity arrangements for public bodies, such as local councils. It must go beyond perimeter IT defences and data protection. That means, for example, that emergency planning teams must be equipped to respond to cyber risks, alongside their traditional focus on flood, fire, health incident, terrorism, or disruption to food and water supplies.

It can’t be left to IT

Typically, it falls to the head of IT or CIO to ensure the necessary cyber protection and resilience in an organisation - after all, that is what IT security is all about. IT teams certainly have a critical part to play in areas such as systems access control, ID and password management, virus protection, penetration testing, phishing and other threat detection, data handling and encryption. But cyber is bigger than this, and the task cannot be left to IT alone.

Consider an analogy: whilst IT may design and build the car, fit it with airbags and service the brakes, it is the driver who is responsible for avoiding accidents. The same is true for cyber protection - the responsibility must lie with everyone, from front-line staff to the main board of directors, alongside IT.

This does not mean everyone has to become a cyber expert. However, it does mean senior managers must be competent in understanding and prioritising cyber risk management, and that those with responsibility for corporate risks, business continuity and emergency planning are working hand-in-hand with their IT colleagues.

Everyone must keep a vigilant eye on cyber risks. For our public bodies, this includes public accountability for cyber prioritisation and protection - both political and executive.

Effective cyber planning

Cyber planning starts with being able to balance technology benefits against the inherent risks.

A digitally mature, public service organisation will have defined its digital ambitions carefully, aligned with risk appetite. If cyber is defined too narrowly in that context, or left to IT to deal with, the wider impacts, both positive and negative, may be missed. This requires effective training, support and awareness outside the IT domain – for staff, service leaders, the CEO, executive leaders, emergency planners, the SIRO (senior information risk owner), data protection officers, Caldicott Guardians (in health and social care), suppliers and politicians.

Tools such as Cyber Essentials and BCS’ new Cyber Security Technician Apprenticeship can assist in widening awareness and skills, stimulating cultural change. As digital models become the norm, the public sector also has a responsibility to set a lead in digital standards and practice. This includes helping to ensure public awareness and competency - which is also central to BCS’ purpose and ambition.

By integrating cyber planning into broader public service planning, wider issues can be addressed:

  • Emergency planning for civic resilience: ensuring that cyber risks that could affect whole communities are treated in a similar way to traditional threats.
  • Safeguarding democracy: ensuring that technology is not used to compromise or to bias democratic processes, public consultation, or decision-making.
  • Equality of opportunity: ensuring that public service systems are not compromised by prejudice that benefits only particular communities or interests.
  • Reputational damage: protecting a service (or a local area) from adverse social media campaigns, hacking or cyber-attacks designed to undermine reputation or public confidence.
  • Business continuity: aligning service resilience planning with IT disaster recovery, ensuring security of the whole service supply chain from cyber risks.
  • Secondary cyber risks: the impact of a non-cyber incident can create a heightened level of cyber risk, perhaps as a secondary target created by the initial incident.
  • Information protection: in its widest sense - paper and electronic - ensuring data quality, ethical use and secure sharing.
  • Transformational risk: changes in processes, culture, governance and services models that may carry inherent cyber risks.

Monitoring and testing

Cyber protection needs constant monitoring and testing, ‘for real’ in simulated exercises, including the supply chains of partners and private companies that form part of public service delivery. Today’s public service leaders need to be assured that cyber practice is effective and that IT leaders understand their cyber responsibilities, while not assuming the totality of ownership of cyber risks.

IT leaders must review cyber technical capacity and capability in their own teams, working with service managers, suppliers and external support networks, such as the BCS, the National Cyber Security Centre (NCSC), the Local Government Association (LGA), Socitm and local Warning, Advice and Reporting Points (WARPs).

Across the UK, public bodies are increasing their activity to support the sector in cyber risk readiness. For example, in England, the Local Government Cyber Stakeholder Group  provides strategic coordination, while the Cyber Technical Advisory Group provides a sounding board for NCSC on the practical issues facing local government and its partners in addressing cyber risks.

Recent cyber research, such as that undertaken by Socitm and the LGA, shows the scale of the cyber challenge facing local public services in keeping pace with a changing landscape of cyber threats. We all need to support our public bodies, as they prioritise and fund cyber protection, treating the constructive management of cyber risks as an enabler of transformation, rather than struggling to control it as an IT risk in isolation.