Cyber resilience – one year on
Taking the chance to reflect on the impact of our work
The recent release of The Beatles’ documentary ‘Get Back’ was great for anyone interested in the band (pretty much everybody) because it revisited the good work they produced over the years.
We’ve taken the band’s lead, and for anyone with an interest in cyber resilience (should be pretty much everybody) we’ve been revisiting our work on the subject from last year. We are not claiming to be anything like The Beatles, but we did want to reflect on the impact our work had, and to re-emphasise our main messages to those with an interest.
The work we did was a call to arms. We targeted senior decision makers at public bodies, to raise awareness of the critical importance of cyber resilience and to encourage them to reflect on their personal responsibilities, and their organisational arrangements.
We feel like we achieved this – we’ve had feedback that we helped to bring the topic into the consciousness of Boards and leadership teams. We also hope we provided a high-level overview of cyber resilience within Welsh public bodies that was not there before.
Since we started our work, cyber threats have continued to grow. The National Cyber Security Centre (NCSC) reports that cyber vulnerabilities have increased in relation to COVID-19 [opens in new window], through hackers trying to steal medical research about vaccines, and because of growth in the number of people homeworking [opens in new window] and using personal devices. In the first four months of 2021, the NCSC handled the same number of ransomware incidents as for the whole of 2020. And public bodies in Wales have been among those hit by recent cyber-attacks, which just goes to show these threats are real and are close to home. The National Audit Office talks more about the current cyber threats facing public bodies in their blog [opens in new window].
There is still much work to be done but it has been pleasing to see the actions that some public bodies in Wales have been taking since we reported. These have included:
- Using our report to carry out a gap analysis of their cyber arrangements and to help them decide specific improvement actions.
- Audit committees using our report to scrutinise the cyber arrangements in their organisations.
- Receiving presentations from NCSC representatives, including briefings on the NCSC board toolkit that we highlighted as good practice in our work.
- Taking action to make sure cyber resilience is a priority, by developing cyber resilience strategies, and by requesting more local audit work on cyber resilience.
- Carrying out dummy cyber-attacks to identify weaknesses and taking part in cyber resilience exercises in each of the Local Resilience Forums (LRFs).
The Welsh Government has been taking action too, including:
- Use of our report in workshops to highlight the real impacts of cyber-attacks.
- Joint working with colleagues in the Hwb team to assess cyber resilience arrangements in the education sector [opens in new window].
- Providing funding for cyber resilience training for local authority councillors.
- Hosting two Strategic Leaders Cyber Resilience seminars for over 90 CEOs and senior leaders across the public sector in Wales.
- Using National Cyber Security funding to loan a member of cyber security staff to the NCSC, to promote and increase the use of the NCSC’s guidance and tools.
- Reviewing Welsh NHS bodies’ cyber resilience arrangements for their compliance against the Network and Information Security directive (NIS) directive [opens in new window].
- Working with the NCSC to help plan the flagship event ‘Cyber UK 2022’ to be held in Wales in May 2022.
It has also been pleasing to receive interest in our work from outside of Wales, with other public audit organisations contacting us to share knowledge and good practice.
We know it’s a work in progress for Welsh public bodies, and there is still much more to be done. Areas for concern recently highlighted to us by our contacts in the Welsh Government and the NCSC include:
- Supply chain threats: Organisations should know what access third party suppliers and sub-contractors have to their information and systems, all the way down the supply chain.
- Incident and response and recovery plans: Do bodies have them? Do they test them? How well do they work if most of the workforce is working from home?
- The importance of having offline and offsite backups to aid in recovery should a body’s online systems and online backups become compromised by a cyber-attack.
So, let’s get back to the key point of this blog. We want to keep the awareness of good cyber resilience high, but we also want public bodies to continue to speak to us, and to each other. There can be a stigma attached to being the victim of a successful cyber-attack, but without coming together to share lessons, there is a risk of history repeating itself, and failing to learn from experiences.
About the author
Gareth Lewis is a Senior Auditor in the IM&T audit team, and works on projects across both financial and performance, covering all sectors. He has been part of Audit Wales and its predecessor organisations since 2004.