Serious security weaknesses in public sector websites are being fixed faster, says UK Government, which has launched a government Cyber Profession training and recruitment programme. A vulnerability monitoring service (VMS) scans 6,000 UK public sector bodies, detecting around 1,000 types of cyber vulnerabilities. When a weakness is identified, the service alerts the relevant body and tracks progress.
Minister for Digital Government Ian Murray at DSIT (Department for Science, Innovation and Technology) was among the speakers at the annual Government Cyber Security and Digital Resilience conference, at the Kia Oval, south London. He said: Cyber-attacks aren’t abstract threats — they delay NHS appointments, disrupt essential services, and put people’s most sensitive data at risk. When public services struggle it’s families, patients and frontline workers that feel it. The vulnerability monitoring service has transformed how quickly we can spot and fix weaknesses before they’re exploited so we can protect against that. We’ve cut cyber-attack fix times by 84 per cent and reduced the backlog of critical issues by three quarters. And as the service expands to cover more types of cyber threats, fix times are falling there too.
“But technology alone isn’t enough. Today I’m launching a new government Cyber Profession to attract and develop the talented people we need to stay ahead of increasingly sophisticated threats – making government a destination of choice for cyber professionals who want to protect the services that matter most to people’s lives.”
Background
Last month, DSIT launched the Government Cyber Action Plan (GCAP) which acknowledged backlogs, weaknesses and shortcomings.
Comment
Stephen Fewer, Senior Principal Researcher at Rapid7, said: “The improvements the government has made in patching vulnerabilities are significant, and they clearly demonstrate how powerful foundational security programme elements such as proactive vulnerability management and asset management practices can be. The inclusion of a Cyber Profession aimed at developing the talent needed to best protect government networks shows long term vision and commitment which must be commended.
“Attackers at large are still using older, known vulnerabilities and established techniques to compromise organisations worldwide, so leaving security weaknesses unpatched for months on end means you’re a sitting duck for cybercriminals. At the same time, we’ve seen the window between the discovery of new vulnerabilities and their exploitation in attacks shrink significantly in recent years. Without a clearly defined, regular patch cycle that prioritises actively and widely exploited CVEs, you can’t effectively respond to zero-day exploitation or advanced persistent threats.
“The improvements mentioned are truly impressive; however, ongoing investment in cybersecurity must remain a top priority for central government. A key focus for the government should be limiting the internet exposure of critical applications and management interfaces, ensuring they are never exposed to the public internet. Government organisations such as the NHS have many network edge appliances, including VPNs and firewalls, that cybercriminals can exploit. Reducing the attack surface is the next best defence after remediating known weaknesses.”
