Support 100 years of independent journalism.

  1. Spotlight
  2. Cyber
14 July 2022

Is the UK’s cyber space more secure after Boris Johnson?

Recent data shows a country largely unprepared for a more hostile cyber landscape.

By Afiq Fitri

In April 2021, it was revealed that Boris Johnson’s personal phone number was freely available online for 15 years, nestled at the bottom of a press release published in 2006 when he was the shadow higher education minister. Three months ago, cyber security researchers from the University of Toronto’s Citizen Lab released an explosive report detailing traces of the NSO Group’s Pegasus spyware within UK government networks, including Downing Street and the Foreign Office.

While there is no evidence linking these two events, security experts have condemned the lack of basic cyber security at the heart of government. “It’s vital that anyone with access to sensitive material up to and including the PM have to pay close attention to the basic rules of cyber security, including their phone numbers,” said Peter Ricketts, the UK government’s former national security advisor, at the time of the Pegasus revelation.

But with Johnson now preparing to step down, what is his cyber security legacy at a time when the National Cyber Security Centre (NCSC) is warning of a “potentially protracted period” of cyber threats from Russia?

Recent cyber security statistics paint a picture of rising data breaches and cyber attacks in the UK, with the public and private sector largely unprepared for such events. Local councils across the country have been hit by a spate of ransomware and data breaches, with East Sussex, Hampshire County and Gloucestershire County alone suffering more than 2,000 data breaches in 2020 and 2021, according to a study by privacy researchers at VPN comparison site VPN Overview. During a speech to launch the government’s Cyber Security Strategy earlier this year, the then chancellor of the Duchy of Lancaster, Steve Barclay, said that recent data breaches are a “growing trend – one whose pace shows no sign of slowing”.

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.

Data from the Department of Culture, Media and Sport’s (DCMS) latest Cyber Security Breaches survey confirms this growing trend. Since 2019, the number of data breaches and cyber attacks identified by businesses and charities has also increased, with almost four in ten businesses and a third of charities reporting such incidents as of this year.

Content from our partners
How to create a responsible form of “buy now, pay later”
“Unions are helping improve conditions for drivers like me”
Transport is the core of levelling up

Part of the government’s solution to improve cyber security across the board includes a raft of policies designed by the NCSC to help UK businesses protect themselves against common threats. But data from the same survey shows a startling lack of awareness among businesses of the government’s cyber security initiatives, with barely any improvement in the past few years.

Just three out of ten businesses surveyed have heard of the Cyber Aware email security programme, which encourages people to improve their email security through using strong passwords and two-step verification. This figure has crept up from 21 per cent in 2017, while less than 20 per cent of businesses remain unaware of the NCSC’s 10 Steps and Cyber Essentials programmes. The 10 Steps initiative provides basic advice on identity and access management for example, while Cyber Essentials is a formal certification scheme for businesses to conduct self-assessments on their cyber security preparedness.

This lack of awareness among business and charities also translates into the low take-up of such initiatives. According to the DCMS survey, just 6 per cent of organisations have undertaken the Cyber Essentials certification, while only 1 per cent of businesses have signed up for the Cyber Essentials Plus scheme, which involves an external assessment. The global cyber security standard ISO 27001 and a payment card data assessment are more widely adopted among those organisations surveyed, but still by a minority.

The last three years of Johnson’s premiership have seen the UK government roll out the country’s first National Cyber Strategy and other headline-grabbing initiatives like a National Cyber Force. Whether these high-profile policies translate into a more secure cyber space is yet to be seen, but the current reality of cyber security in the UK paints a markedly different picture.

[See also: Andrew Marr: The Tories’ new nightmare]