Half of Government Security Incidents Caused by Missing Patches
Cybersecurity is both a driver and a major barrier to public sector IT modernization, according to new research from BAE Systems Applied Intelligence.
The cyber consultancy polled 250 managers with IT responsibility in UK central governmental organizations, to better understand the interplay between security and digital transformation.
The research revealed that most (60%) UK government departments have digital transformation plans in place and that these have been accelerated in the majority of cases by the pandemic.
Mitigating the risk of vulnerabilities was cited by three-quarters (75%) of respondents as the main reason for driving these legacy upgrades.
This push is being borne out of current experience. Nearly two-thirds (63%) of respondents said they suffered a security incident in the past six months and over half of these (52%) came as a result of missing patches.
The mass exploitation of unpatched Microsoft Exchange Server bugs earlier this year is proof of the potentially disruptive impact of such threats.
Yet security was also cited by 68% of respondents as a barrier to upgrades, second only to integration issues (69%).
According to the report, greater collaboration between IT and security and a recognition of the urgent need for security enhancements in certain areas can give projects a push.
“If anything, the rapid response to the pandemic has proven that red tape can be circumvented and fast-track processes invoked if the need is urgent enough,” it noted.
BAE Systems consultant for central government, Lorna Rea, argued that too often the security function is still the “department of no,” working in isolation from the rest of IT.
To modernize without increasing cyber-risk, public sector organizations must view those risks in terms of business impact, she told Infosecurity.
“For example, in the healthcare sector, the threat of a ransomware attack feels a lot more real if it is described as something that could shut your entire hospital down,” Rea added. “Security teams must be must fully embedded as part of the change process — operational risks can be taken if they are fully understood and mitigations worked through.”
Top of the priority list for IT decision makers in central government is simplifying their security architecture (45%) and reviewing current risk management strategies to ensure they have the right balance between security and productivity (45%), the report concluded.