• Adrian Bradley, Partner |
3 min read

In May of last year, the government launched a call for views on the resilience of the UK’s data-processing and data-storage infrastructure.

The DCMS describes this infrastructure as a “vital national asset…essential to operating a pro-growth and innovation-friendly economy.”

That’s undoubtedly the case, and KPMG supports this call for views to equip this vital national assets for the future. The UK is among the world’s largest consumers of technology and data – and therefore a rich target for cyber fraud, blackmail attempts and nation-state attacks.

As such, robust security is particularly important in crucial sectors such as defence and financial services.

But in setting out the call for views, the government seems to be taking a narrow perspective on the issue.

Its focus is primarily on data centres. But the data centre is merely the bottom layer of an organisation’s technology stack. All too often, it’s the upper levels that are most exposed.

Modern measures

The key to a resilient data infrastructure is modernisation of IT landscapes.

Older technology estates, protected by outmoded security systems and practices, aren’t just easier for criminals to access; they’re also easier to traverse. Once they’re in, attackers can move around within the network, sometimes staying undetected for months.

From there, they can exfiltrate strategic information, shut off critical operations, carry out blackmail, and more. We’ve seen organisations forced to pull the plug on their entire IT networks, closing down their operations until an attack is resolved.

By contrast, modern, cloud-based environments are harder to access, and can recover more quickly from attacks – typically in a week or two, rather than several months.

That’s partly because it’s easier to spot intrusion on cloud networks, and see how far attacks have spread. And also because cloud networks come with the latest security controls. These help firms to reduce the ‘blast radius’, by locking down parts of the estate that haven’t been affected by the attack.

On balance, levels of IT modernisation in the UK are reasonably good. As you’d expect, there’s a spectrum: from firms with hyper-modern landscapes to those with dangerously outmoded systems. Many FTSE businesses are still behind the curve, and the further down the scale you go, the more challenging modernisation becomes.

But overall, the state of play here is comparable to that across Europe and in the US.

Policy priorities

Of course, government has a central role in driving modernisation, in two respects.

Firstly, by making it a regulatory requirement. The new corporate governance code – known as ‘UK SOX’ – will go some way towards doing so when it comes into force in 2023.

But there’s more that government can do. Obliging firms to report on their security arrangements would be a helpful step (though admittedly difficult to implement).

As would creating an audit process for cybersecurity, similar to the standards and checklists in place in Germany.

In its absence, UK firms must reach out to the National Cyber Security Council (NCSC) for advice. But that’s self-selecting to a degree. Businesses that are focused on getting cybersecurity right (and have the resources for it) will readily engage with the NCSC; the rest won’t. A mandatory cybersecurity audit would change the dynamic from ‘pull’ to ‘push’.

Government’s second priority should be to foster cybersecurity and cloud talent.Today, there’s not enough labour supply to meet the modernisation needs and demands of enterprises. As a significant consumer of secure infrastructure, the government can itself generate a sizeable pool of talent in the way it approaches its own modernisation.

Sophisticated cybersecurity requires specialist capabilities to design, implement and operate effective tools, controls and processes. Working with cloud providers, government can devise policies to generate these skills through the education sector and apprenticeships framework.

Ultimately, modernisation isn’t something that a business – or a country – achieves once, at a given point in time. It’s a continual process of updating the IT landscape and strengthening security. Standing still means becoming less safe by the day.