Steps needed to deliver a robust public sector cyber security strategy

Legacy IT infrastructure risks opening the doors to more cyber crime. In spite of this, as of July 2020, Windows 10 had only been installed on 846,000 devices across the NHS, even though NHS Digital has clearly set out the dangers of unsupported licenses and requires Extended Security Updates to be specifically purchased to combat them. Additionally, all NHS organisations - apart from one that had already upgraded - signed up to receive free, centrally-funded Windows 10 licenses when Microsoft security support ran out for Windows 7 in January 2020.
These are among the findings of a new report from Westminster think tank, Reform, 'Resilient public services in an age of cyber threats'. The report is particularly pertinent at the moment as COVID-19 has accelerated the digitalisation of processes and working practices for most organisations, with more working from home, virtual meetings, video conferencing and virtual patient consultations. Whilst this rapid adoption of technology is generally seen as a positive, it does carry its own risks, prominent among which is increased vulnerability to cyber attack. 
A robust IT infrastructure - comprising the hardware, software, network, operating system and data storage needed for an IT environment to function - is essential to maintain the security of public services. This means organisations must invest in the upkeep of these systems.
The NHS has already experienced, first-hand, the consequences of legacy IT failing to stop a ransomware attack when WannaCry impacted around 80 of 237 Trusts, resulting in the cancellation of almost 20,000 hospital appointments and operations back in 2017. 
Legacy IT is not the only weak spot when it comes to cyber security across the public sector. People are also a problem. The leaders of organisations need to position cyber security as fundamental to service delivery and not just view it as an additional operational cost.  
Leaders also need to understand the importance of training staff in basic cyber hygiene procedures. There is, the report states, a cyber security skills gap, at basic user and high-level. It is a gap that is exacerbated by a global shortage of these professionals, across both public and private sectors.
A fragmented approach to the issue with individual organisations being responsible for their own technology, and confusion over standards and guidance, as well as challenges in procurement, such as lack of budget and difficulties in assessing the cost-effectiveness of replacing legacy infrastructure, represent additional barriers.
The report concludes that the government needs to do more to address the skills gap across the public sector workforce. It also needs to introduce stricter enforcement methods to ensure legacy systems are maintained properly, and should consider what it can do to spread good technology, such as introducing clear manufacturing protocols and kite-marking cyber-secure products.
Read the full report here.