Cyber security identified as key risk for DfE

The loss of access to critical departmental systems and services, as well as a loss of critical departmental data, has been identified as a key risk for the Department for Education, according to its Consolidated annual report.

The report says that while the impact of a cyber attack has decreased due to progress made in maturing the cyber operation capabilities, the "risk is expected to remain high in the next financial year".

The report says that Ransomware remains a threat of significant concern to the Department and that the Department’s capability remains low.

Issues have previously been reported with poor supplier security behaviour which exposed data. The supply chain is an area of high concern for attacking any organisation. Cyber and Information Security have recruited staff and opened the supply chain security function. The DfE is now in the process of analysing priority suppliers to focus initial attention on.

The report says that increasing the maturity of the cyber security operational capability remains a high priority. However, development of the security monitoring platform ceased at the end of September 2021 with the cessation of the supplier contracts. The service has been effectively forced into operating on a “best-efforts” basis - which the report says is an "unacceptable risk to the Department".

The issue of cyber security has been escalated to the Civil Service Board as a cross-governmental risk.