UK public sector organisations are facing threats and increasingly sophisticated attacks on key infrastructure and software security
This trend is only expanding as more services become digitised and complex software supply chains multiply the opportunities for malicious actors to infiltrate networks.
Cybersecurity has been at the top of the government agenda for a few years already. Attacks like the SolarWinds hack in 2020, whose Orion IT software used by thousands of government agencies worldwide was infected with malicious software, raised the alarm for state actors worldwide about the need for strong nation-level cybersecurity strategies.
The UK government is a good example of a state actor recognising the need for imminent action in its cybersecurity. Over the last few years, it has launched several initiatives to bolster its cybersecurity. In 2022, the National Cyber Strategy Committee announced the British government’s Cyber Security Strategy, which recognised a significant gap between where the UK’s cyber resilience was compared to where it should be. The plan also included investment into cybersecurity skills and establishing enhanced automated, live threat information sharing at scale across government and the wider public sector. Twelve months later, in April 2023, Number 10 launched new and enhanced measures, named GovAssure, which include a centralised cyber policy to ensure best practices are followed across the country’s governmental organisations.
Governments worldwide are introducing similar initiatives and investing time and resources to bolster their cyber resilience. For infrastructure resilience and public safety, we must ensure public sector software is not opening the front door to cyber risks.
The state of software security in the public sector
In 2023, research found that attacks targeting the government sector had increased by an eye-watering 95% in the second half of 2022, compared to the same period in 2021. Also, the cost of security breaches in the public sector has also grown in the last few years, with IBM recording an all-time high cost of data breaches in 2023, having increased more than 15% in the last three years alone.
At the same time, recent Veracode research shows that eight in ten applications developed by public sector organisations have detected security flaws over the last 12 months, compared to three-quarters of apps in private sector businesses. These numbers highlight the need to closely monitor the development process to prevent software with vulnerabilities from being released. However, once an application is launched, public sector organisations score better than private ones regarding flaw introduction.
Veracode’s research found that the latter are 7-12% more likely to have a flaw introduced. This shows that public sector organisations follow a steady cyber review process regarding their existing software, which is a very healthy sign in the long run.
Looking ahead
Despite the sector’s many security flaws, there is reason for public sector organisations to be optimistic. For instance, the public sector is much better than the private sector at discovering ‘high severity’ flaws – lines of code that have a serious weakness and are an easy target for an attacker – with only 16.5% of vulnerabilities falling under this category, compared to 19% of private sector flaws.
Similarly, our research also found public sector agencies are better at keeping flaws at bay over time. When software has been in use for around five years, the rate of new flaws introduced in private-sector applications has increased gradually and steadily but declined for public sector applications. Perhaps public sector organisations are more vigilant about keeping applications safe as time passes, not just during the first few years of use.
Steps towards improved software security
Keeping organisations cyber secure is a growing challenge, especially as attackers become increasingly creative with sophisticated tools. The public sector has come a long way to strengthen the security of applications that serve the government, but there is still more work to do.
One immediate step is dealing with the existing backlog of known flaws. Lowering existing security debt is easier than starting to look for new vulnerabilities from scratch. Another step organisations can take is implementing more regular and varied scans. As modern IT systems become increasingly complex, the categories of potential vulnerabilities become more diverse. Organisations must conduct multiple scan types – such as static application security testing (SAST) and software composition analysis (SCA) – to ensure a comprehensive search for flaws.
AI can be a very useful tool for reducing security backlogs, and the subsequent cybersecurity debt companies fall into if flaws remain unaddressed for long periods. Security tools that leverage AI technology can identify errors in code and provide AI-generated solutions, drastically reducing the time it takes to remediate errors from months to minutes.
Investing in development teams’ education on an ongoing basis is also essential. There is a baseline chance of 27% that a flaw will be introduced into an application every month, but further Veracode research found this reduces by 12% for organisations whose teams had completed ten interactive Security Labs training. As software ages, increased security training and awareness reduce the chance of introducing flaws.
An ounce of prevention is worth a pound of cure
Yes—the challenge of cyber security is great and seemingly ever-growing, but it is not insurmountable. Public sector agencies can improve by focusing security efforts on the root cause of cyber breaches. Scanning regularly with various testing types, investing in software developer cybersecurity training, and addressing security debt will pave the way toward a more secure future.
Failing to pay down technical or security debt is like bailing a sinking boat—flaws collect over time until the boat fills faster than one can bail it. Our secure future depends on the actions we take now.
This piece was written and provided by John Smith, EMEA CTO, Veracode
