Skip to content

Search the site

One single HMG department is running 600+ unsupported apps

Defra legacy IT issues mean department is running some 2,000 applications, 30% of them unsupported.

The UK’s Department for Environment, Food and Rural Affairs (Defra) is running 600+ applications that are end of life (EOL), or no longer supported with software updates by their suppliers; a severe potential security risk.

EOL software does not get mainstream support from its suppliers nor software security patches. Unpatched software is one of the three leading ways cybersecurity breaches including ransomware attacks happen.

That’s according to the National Audit Office (NAO) which found that Defra is running some 2,000 different software applications – including “small locally developed spreadsheets and databases”.

Some 30% of these, it said, are EOL.

These include numerous “duplicated and overlapping” applications. NAO said that this proliferation – which includes rampant “grey IT” was because in the past there had been no centralised digital function in Defra.

That changed in 2014 when its Digital, Data and Technology Services was established. It now delivers the large majority of IT for Defra and its set of agencies, but faces a huge and expensive “clean-up” problem – being led by Defra’s Group Chief Digital and Information Officer Chris Howes, who faces funding and staffing headwinds.

Defra has “one of the most significant legacy IT challenges of all government departments” NAO said this week, and is spending more than 76% of its budget for digital, data, and technology on maintaining legacy systems.

Defra legacy IT challenges include hundreds of EOL applications

The Defra legacy IT challenge is, in theory, being tackled with £871 million for broad digital investment between 2022-2025. But as NAO noted, much is likely to be spent on new services (more than two thirds of Defra’s 21 million annual customer transactions still require paper forms) and as it notes in a December 5 audit: “Funding provisions for legacy IT are often insufficient and, in some cases, cut during a budget cycle.”

NAO said that government departments in general “typically do not have a good understanding of their IT estate and its interdependencies, and legacy systems are often poorly understood because of their age.”

DEFRA’s services span trade, disease prevention, food protection, air quality monitoring and beyond.

Raghu Nandakumara of security firm lllumio noted: “It’s concerning that a huge proportion of government systems are being left vulnerable to attack, particularly with ransomware so prevalent.

“But it’s also not surprising. Most large organisations have a substantial amount of legacy infrastructure which is not always easy to retire or patch.  In those scenarios, it’s critical that steps are taken to minimise risk and exposure to attack. At a very minimum, this means limiting access to systems and services with known vulnerabilities and imposing a strategy of least privilege.  A key pillar of the government’s cybersecurity strategy is about mitigating cyber risk, so it’s important it practices what it preaches. The best way to reduce risk is through the practice of good security hygiene and a defence-in-depth approach to cyber resilience.”

Low pay does not help tackle challenges like this in the public sector. Defra tried to recruit 244 digital, data and technology staff over the past 12 months but only managed to fill 71% of the roles, NAO’s report notes.

The department is currently focussed on trying to move away from legacy data centres as contracts wind down and modernise existing applications by moving them to the cloud but “has not been able to make other changes that would take full advantage of the benefits a cloud environment can offer, such as increased efficiency and flexibility” NAO warns. Plans to complete a “stabilisation phase” by April 2022 faced a a slower start than anticipated, “in part due to technical problems and software licensing issues.”

Worrying, it added that “Defra plans further work to enhance and transform its legacy systems and processes. It expects this to take 10 years, but has not yet developed any detailed plans” – although its IT team are making efforts to ensure all datasets are centrally catalogued and managed by established data owners, with it recently establishing a Data Exploitation Board to help with this task.