The government has published a new £210 million Cyber Action Plan to tighten security across public services as ministers warn growing online threats could disrupt everything from healthcare to benefits.
The Government Cyber Action Plan is to be driven by a new Government Cyber Unit set up to ‘coordinate risk management and incident response across departments’.
Introducing the strategy, the Minister of State for the Department for Science, Innovation and Technology (DSIT), Ian Murray, said the ‘first duty of this government is to keep the country safe’ and ‘in today’s volatile world, security extends beyond physical borders into the digital realm’.
‘Whether you are accessing healthcare, seeking advice to start a business, claiming benefits or verifying identity, digital transformation enables us to deliver the efficient, citizen-focused services that people rightly expect’, he wrote.
‘As we innovate and expand, the surface area for risk grows with it’, he added.
Scale of public sector IT needs robust defence
I couldn’t agree more. His comments are, no doubt, referring to the expanding surface area for risk created by the rapid growth of digital public services. But that language also resonates strongly in the more technical world of cybersecurity and resilience.
For beneath public sector services sits a sprawling digital estate built on distributed cloud platforms, remote access tools, interconnected databases and a growing web of third-party applications.
Ensuring the public sector’s ‘digital engine room’ remains resilient and secure in the face of ever-increasing threats is a core operational priority.
In the past, the UK’s public sector – like many organisations – turned to zero trust to ensure access to systems was tightly controlled and continuously verified. And while it provides an additional layer of protection compared to older, perimeter-based models, it only works well when combined with reliable identity data and consistent access controls.
This means while zero trust is able to beef up security inside an organisation, it is unable to address threats on the outside. That is why it’s essential that those charged with keeping our public services safe also have eyes and ears throughout their IT estate.
And it’s why external attack surface management (EASM) – which echoes the language used by the minister – is becoming so important.
Why visibility of external assets matters
EASM is the process of discovering, monitoring and securing all the digital assets an organisation has exposed to the internet. That includes domains, websites, cloud services, APIs, remote access points, shadow IT, forgotten test systems, misconfigured databases and any other online entry point that could be used as a way in by rogue actors.
The truth is, most organisations do not realise how much they have exposed or how quickly that footprint changes. EASM solves the problem by giving a live view of the organisation’s external digital estate and alerting teams when something new appears, or an existing asset becomes vulnerable.
Or, to put it another way, EASM answers the question: what could a would-be attacker find if they scanned us right now? That answer – thanks to EASM – helps organisations identify the issue so they can fix it before anything malicious can happen.
Visibility leads to positive action
Interestingly, the new Cyber Action Plan talks about ‘clearer visibility of risks’ and ‘shining a light on cyber and digital resilience risks across government’.
Whether that includes EASM specifically remains to be seen. But if nothing else, it’s a recognition that when it comes to security, we must be forever on our guard.
Indeed, other areas highlighted by the new plan include achieving a ‘faster response to threats and incidents’ by ‘requiring departments to have robust incident response arrangements in place’. It also calls for ‘higher resilience across government’, with targets to ‘close major gaps and protect critical services’.
But I would argue it requires a change of mindset to treat cyber-resilience as a continuous process instead of falling into the trap of seeing it as merely an exercise in compliance.
Regular discovery and monitoring must sit alongside strong governance, disciplined asset management and clear ownership of risk across IT, security and operational teams. If a department cannot say who owns a system, who updates it or who monitors it, then it cannot secure it.
Public bodies also need to address long-standing structural needs, such as investing in cyber skills, modernising outdated systems and improving accountability for risk at senior levels. And they also need an up-to-date understanding of what they have exposed to the outside world.
This is where EASM has a critical role to play. By giving teams continuous visibility of their external digital footprint and highlighting changes as they happen, EASM provides the intelligence needed to support faster decisions, clearer ownership and more effective risk reduction.
Rich Giblin
Rich Giblin is Head of Public Sector and Defence at SolarWinds.
