when Department of Environment, Food and Rural Affairs (Defra) is making progress in addressing “emergency services risks and vulnerabilities” introduced by historic under-investment in technology, it is still failing to adequately plan for wider Digital transformation It must be tolerated by introducing more elements of risk, According to the National Audit Office (NAO) report.
With Defra’s responsibility for a number of key digital services such as disease prevention, flood protection and air quality, the NAO said it was particularly concerned by the rising numbers. Legacy applications used in departments, many of which rely on aging IT infrastructure.
It said Defra’s failure to prioritize investment has led to a situation where 30% of its applications are now unsupported, meaning developers are not issuing any software or security updates. It said it was compromising the resilience of vital environmental services and increasing Defra Exposure to cyber attacks.
The NAO said Defra was not alone in tackling the problems associated with an aging and cracking technology estate, but it faced one of the toughest challenges in tackling them – it is not expected to complete the work it needs to do before 2030. And its own estimates currently suggest that three-quarters of its total digital, data and technology spending is being diverted to maintaining legacy technology.
“Government continues to rely on very old IT systems at significant cost. NAO chief Gareth Davies said Defra faced a particularly challenging task in replacing its legacy applications and was starting to tackle it in a structured way.
“The technology’s full potential to improve government services and reduce taxpayer costs can only be accessed if this program and others are delivered effectively across government.”
The NAO’s full report, however, acknowledges that Defra is struggling to reduce the most pressing risks, while also admitting that the department – ahead of the 2021 spending review – has not been given the funding it needs. It has now been allocated £366m from the Treasury to spend on IT up to 2025, compared to just £100m to spend between 2016 and 2019.
It added that since the spending review, Defra had successfully established a “well-designed plan”, but said the additional funding, while helpful, was not nearly enough to reduce risk to an acceptable level or fund wider digital transformation efforts.
The NAO has urged Defra to keep pace with its legacy applications program as it moves out of the remedial, stabilization phase and into full digital transformation.
It recommended Defra and other departments do more to develop a “strategic digital vision”, linked to appropriate governance and management structures to help ensure digital and data considerations are “central to business transformation plans”.
Illumio Raghu Nandakumar, Head of Industry Solutions commented: “This is about leaving a large proportion of government systems vulnerable to attack, especially with ransomware so prevalent. But that’s not surprising either.
“Most large organizations have substantial legacy infrastructure that is not always easy to retire or patch. But in these situations, it is important that steps are taken to reduce the risk of attack and exposure. At the very least, this means limiting access to systems and services with known vulnerabilities and imposing a least-privilege strategy.
“A key pillar of the Government’s cyber security strategy is reducing cyber risk, so it is important to practice what it preaches. Ultimately, the best way to mitigate risk is through good security hygiene practices and a defense-in-depth approach to building cyber resilience,” Nandakumara said.