The Cabinet Office has been urged to make it much easier for departments to carry out the "critical" task of protecting their information from unauthorised access or loss.
A new report by the National Audit Office public spending watchdog says the Cabinet Office "has not yet established a clear role for itself in coordinating and leading departments’ efforts to protect their information", with efforts to track performance hindered by patchy data and too many bodies with "overlapping responsibilities".
Almost 9,000 data breaches were recorded by the 17 biggest government departments in 2014-15, according to the NAO, which says the threat of electronic data loss from cyber attacks and accidental sharing has " risen considerably" in recent years.
MoJ recruiter: civil service "not cool enough" to attract top cyber talent
The civil service must tackle its middle-aged problem – or risk becoming a monoculture
Cabinet Office minister Ben Gummer "frustrated" by GDS demise chatter
Bringing government data to life
But the watchdog finds that there are "at least" 12 separate teams in the centre of government with a role in safeguarding information, with the governance arrangements above them "unclear and fragmented", and "no formal links" between the main players.
The NAO says that while the new National Cyber Security Centre – which launches next month to take the lead on shielding government networks from cyber-attack – will help pool "much of government’s cyber expertise", a more wide-ranging shake-up is needed "to further enhance the protection of information".
"The NCSC should streamline central government processes for dealing with information incidents in cyberspace," the report says.
"However, the scale and pace of the challenges of protecting information are such that these structural changes are unlikely to be sufficient on their own unless Cabinet Office also supports departments in addressing the wider problems set out in this report. "
It adds: "The NCSC is designed to work with government and the private sector: whether it has the capacity to do so effectively remains to be seen."
Among its findings, the NAO says departments have tended to treat information governance as a lower-order priority, and points out that the Cabinet Office "does not provide a single set of governance standards for departments to follow, and does not collate or act upon identified weaknesses".
"Only a few departments set security standards through their supply chain," it adds.
"The Cabinet Office does not provide a single set of governance standards for departments to follow, and does not collate or act upon identified weaknesses" – National Audit Office
Meanwhile, the report says the Cabinet Office does not have access to "robust expenditure and benefits data" from departments that would allow the centre of government to take "informed strategic decisions on protecting information".
And the watchdog says that, despite the establishment of a dedicated civil service security profession in 2013, it remains "difficult for government to attract people with the right skills" to take on key cyber security roles.
That finding echoes comments made this week by a recruiter for the Ministry of Justice, who said people with cyber security skills "still don’t think working for government is cool".
Departments were, the recruiter said in GOV.UK blogpost, still working to shake off the perception that government tech jobs meant working against "a massive legacy monolithic monster" and "trying to troubleshoot memory issues in a some mid-90s middleware".
The NAO said demand for such skills across government was "growing and is likely to continue to grow".
"Plans to cluster security teams may initially share scarce skills but will not solve the long-term challenge, and will pose questions for departmental accountability," the watchdog's report added.
Launching the NAO's latest findings, the audit office's head Amyas Morse said: “Protecting information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge.
He added: "To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved.”