“Fatima’s next job could be in cyber,” a crass advert suggested in October 2020. With COVID hitting the arts hard, the government of the day thought ballerinas could simply slip off their shoes, pull up a keyboard and solve the country’s digital skills shortage. Which goes some way to explain the government’s own aptitude for technology.
It’s a well known fact within the cyber security industry that the biggest weakness in most systems is actually people. Human error is at the heart of many of the biggest breaches of today; be it poor password hygiene, sloppy systems management or ignoring necessary updates. Unfortunately, the British government is living proof of that.
Cyber best practices
Under Boris Johnson’s leadership the Conservative party has become something of a liability when it comes to digital services and security policies. From the controversial use of WhatsApp to conduct state business to full on data breaches, MPs seem to know as little about ‘cyber’ as the fictional Fatima does.
We start with the basics; businesses and organisations should have guidelines that staff can refer to when using technology. You won’t be surprised to find out that much of this is common sense, such as not using ‘password’ as your password or restrictions for using personal email accounts for sensitive work matters.
On the subject of technology, Matt Hancock always seemed overzealous – perhaps trying too hard to give off the impression that he was well versed in matters of IT. But the former health secretary was widely reported as someone who ‘routinely’ used his own personal Gmail account to conduct government business. This was revealed via leaked minutes from Health Department meetings that state Hancock, and health minister Lord Bethel, didn’t even have specific inboxes for their own department.
“Hillary Clinton’s troubles back in 2016 over the use of a ‘personal email server’ should be enough of a salutary warning to every politician to not conduct government business over personal email,” Pete Starr, the global director of security firm Cyren, tells IT Pro. “I find it amazing that this still happens given all of the rigorous security that the government has invested in. It just goes to show how it can be all undone by one individual.”
“Imagine a ransomware attack encrypting all of the health secretary’s data on his computers, making it useless. This could include data that is essential in guiding government COVID policy. That sensitive data could get lost through being sent to someone who isn’t authorised to have it because there is not data loss prevention technology present”
This violation of government guidelines came to light in the aftermath of Hancock’s resignation for breaking social distancing rules.
Data protection
The truth about cyber security training
Stop ticking boxes. Start delivering real change.
If Hancock really was that tech-savvy, then he must surely have known the full consequences of using his own email account. The average cost of a data breach is roughly £3.03 million per incident (globally), according to IBM’s annual data breach report. Compromised email accounts make up 20% of these and the report also found there was an average of 287 days for the breaches to be identified and contained. In short, if valuable data is lost because of human error, said human will have lots of time to mull it over.
Sadly, this casual approach to IT is not isolated to the Health Department. There are even a few cases where a data breach can be traced back to an individual, such as former foreign secretary, Dominic Raab, leaving his phone number on a public website for almost ten years. This appeared to be a common mistake with foreign secretaries, as it was revealed just a few months after Johnson had done the same while in the position.
Worse, his ascendancy to and tenure of Number 10 Downing Street has coincided with a number of department-wide data breaches. This includes the COVID test and trace system, which couldn’t register new test results for several weeks because it used an Excel spreadsheet that had limits. There’s also the seedy affair of footage from Matt Hancock’s office showing him breaking social distancing rules somehow leaking to the press.
Upgrading IT systems
The most troubling incident, perhaps, is the accidental deletion of thousands of criminal records.
In this case, an IT technician was initially blamed with a single error in a piece of code seemingly the cause – the perfect scapegoat, without context. But the Police National Computer (PNC) is almost 50-years old and has also been deemed “unfixable” by an independent police report.
“The Police National Computer has been out of date for years but to reinvent it not only costs huge amounts of money but brings the dangerous potential of teething problems and security worries,” says ESET cyber security specialist, Jake Moore. “Any faults would desperately need to be ironed out completely before any go live date is prepared due to the uproar that would erupt if any snags were to strike.
“The recent IT failures should ideally provide lessons but they are in vain if they aren’t acted upon. The PNC is vital to the judicial system and it needs to work effectively and efficiently, but securing it is the number one priority. It takes time to rectify any system. but recent delays have set this desperate project back too long. The current database will inevitably have holes in it and will be damaging the ability of the police to investigate effectively, which in turn could potentially put the public safety at risk.”
In the wrong hands, data from the PNC could lead to further problems such as extortion, manipulation, or even huge problems in court cases, Moore adds.
Ultimately, the deleted records were recovered but the independent inquiry into the incident, chaired by former Metropolitan Police chief Lord Hogan-Howe, placed the blame firmly at the door of the Home Office.
The case also raises questions about the rest of their government’s creaking technology infrastructure.
“It would seem that many of the IT systems in use by the government are antiquated and are at risk from a lack of support and understanding of how the systems actually function as evidenced by the deletion of police records by accident,” says Andy Norton, the European cyber risk officer at Armis. “Are they still fit for purpose, though? Because If they are, then a lack of ready support and limited understanding of the system functionality may be considered an acceptable risk, in comparison to other government priorities."
Perhaps the most alarming evidence is the amount IT Pro has had to leave out of this, such as claims the Department of Education sent malware-ridden laptops to schools. That in itself was a miserable end to an excruciatingly long fiasco where the government almost took the length of three lockdowns to get laptops to those in need.
Unfortunately, this could potentially get worse as the technology rapidly advances further beyond the average person’s comprehension. Perhaps the best mindset for MPs to have is that their current roles involve ‘cyber’.
