Public sector security debt is becoming a pervasive issue

Cyber security debt concept image showing multi-colored padlock on top of a circuit board.
(Image credit: Getty Images)

Cyber experts have raised concerns over the surging rates of security debt in the public sector, with research showing that many applications remain unpatched for more than a year.

In a study conducted by Veracode, researchers found that six-in-ten applications in the public sector contain security debt, compared with an overall global rate of 42% compared to the private sector.

Chris Eng, chief research officer at Veracode, said the study uncovered “decades of accumulated security debt” and poor configurations. With many of these applications supporting public services, he said authorities must do more to improve the situation.

"Without a systematic and continuous approach to finding and fixing security flaws, the public sector is left dangerously exposed to attacks from hackers,” Eng said.

The researchers found that while slightly fewer public sector organizations (68%) have security debt than other industries, they typically tend to rack up more of it.

Only 3% of applications are flaw-free, the study found, half the percentage for other industries.

Meanwhile, four-in-ten public sector entities have persistent, high-severity flaws that constitute ‘critical’ security debt, which would put the confidentiality, integrity, and availability of businesses at serious risk if exploited.

"The good news is that most organizations have the capacity to remediate all critical debt, but risk prioritization is key. Two-thirds of all flaws in public sector organizations are either less than one year old or are not critical in severity," Eng commented.

"In addition, less than one percent of all flaws constitute critical security debt. By prioritizing that security debt with focused effort, organizations can achieve maximum risk reduction and then move to address non-critical flaws based on their risk tolerance and capabilities."

Third party flaws contribute to public sector security debt

Security debt in the public sector mainly affects first-party code, the study noted, but more than half the critical security debt uncovered by Veracode comes from third-party dependencies. 

It's mainly older, larger applications that are affected. Java and .NET applications stand out as significant sources of debt in the public sector, researchers said.

Public sector organizations are heavily targeted by cyber criminals, thanks in part to the large amounts of personal data that they often hold.

Last year, according to CheckPoint, government, education, and healthcare organizations experienced the highest volume of cyber security threats, with some facing thousands a day.

In the UK, research by the Information Commissioner’s Office (ICO) shows cyber attacks on local authority systems jumped by a quarter between 2022 and 2023, while personal data breaches reported by local government organizations rocketed by 58% in the same period.

And this is costing tax-payers dearly, with a recent investigation by Data Breach Claims showing the number and cost of breaches at councils is on the rise across the country, with many paying out tens of thousands of pounds.

"The current state of software security in the public sector reinforces the importance of making secure by design a standard approach for the whole network connected world," Eng said.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.