Blog post

Improving government, one bit at a time

Created:  20 Jul 2018
Updated:  20 Jul 2018
Author:  Maddy S
Part of:  Digital services
Medical supplies

The NCSC's Active Cyber Defence programme - a series of initiatives designed to tackle a range of commodity attacks - is now well into its second year. And in addition to making people objectively safer in cyberspace, we're continuing to analyse the data that the ACD projects generate.

What - if anything - can this data tell us about the state of IT across the public sector?

And more importantly, can we at the NCSC use this data to make decisions about how to best focus our efforts? That is, does the data provide us with any 'clear wins' that we can pass on to our public sector customers to improve their security?

One clear observation from the analysis is that many government Content Management Systems (like WordPress, Joomla and Drupal) are frequently not maintained - we found 593 sites that were out of date. Why should this be the case?


Why don't Content Management Systems (CMSs) get patched?

First of all, organisations may not know that they need to frequently patch their systems.

Assuming they do know this, there's still the following issues:

  • They don't know how to patch.
  • The website is contracted out and isn’t maintained in line with expectations of the public sector organisation.
  • Patching can take an unreasonable amount of time, during which systems will be unavailable.
  • Sometimes, when a CMS is patched, things break. More specifically, patching breaks the thing you were trying to patch, and sometimes things you weren’t trying to patch.

We’ve also observed that the type of update will dictate how keen people are to apply it. The graph below shows how long it takes (in days) for people using an existing version to update to the next version. The longer the bar, the longer the user is staying on that version. From the graph below it's clear that users are applying security updates (orange), and then not applying any updates for a long time.


In an ideal world, people wouldn't get 'stuck' on security updates; after applying a security update they would continue to keep their CMS up-to-date, by applying regular and minor updates.


Why patching is important for CMS systems

As the NCSC point out in its guidance, patching all systems is important because:

  • patching prevents harm from ‘critical’ vulnerabilities (the problems in the code that can be exploited easily and have can cause serious damage)
  • patching can prevent your organisation from being exploited and harm being done to your software  - and reputation

For Content Management Systems, applying all types of CMS patch are also important, because vulnerable systems might result in your site might being defaced, or even taken offline altogether. We found 220 government websites that have been defaced in the past five years. It's worth nothing that this is not necessarily all due to out-of-date CMS, but it is highly likely to have been a factor in a majority of them. 

Our analysis shows that the promptness of a CMS patch being applied will vary according to the type of patch. However, if an organisation only applies security updates, this means that once the major version goes out of support (eg Drupal 6) you will no longer receive any patches, security or otherwise. So don't ignore the non-security patches; applying them promptly will mean your system is ready to receive security patches as soon as they are available, and it will remain in support for a longer period of time.


How secure is your public sector website?

Web Check is a free-to-use website configuration and vulnerability scanning service, available to all UK public sector organisations. So if you manage websites including:

  • local government
  • emergency services — Police, Fire and Rescue Services, NHS Ambulance Services, HM Coastguard
  • central government
  • the National Health Service
  • devolved administrations
  • Crown dependencies
  • British overseas territories

 - and haven't already registered, then why not create an NCSC Signin account at You can request access to the Web Check service from there.


Not public sector?

Take the time to understand if your website (or websites) use a CMS, and make sure you know who is responsible for keeping it up to date. You can then check if it's being updated regularly, and if it's not, find out what you need to do to make sure patches are applied as soon as possible.


Maddy S

Digital Data Analytics Team, NCSC




Keith Dewey, DataGRC - 06 Aug 2018
Great to see vulnerability scanning tools being offered for free. A really important way to regularly check which online "windows and doors" have been left wide open for crooks to walk through, and direct the teams to fix the highest priorities. It's all about getting the basics right, and this is certainly one of the key basics.
Richard S - 07 Sep 2018
Maddy S -

When is this going to be rolled out to industry supporting UK Gov ? The supply chain needs to be able to afford the same protection as its customer.
Maddy S - 12 Sep 2018
We definitely agree that supply-chain security is important.
Unfortunately, at this time, we cannot offer the Web Check service to those outside the public sector - however, a good penetration test (guidance here: will cover the sort of issues that Web Check looks for.
We also have guidance for focusing on supply-chain security (guidance here: which may be useful.
Richard Selina - 12 Sep 2018
thanks Maddy S.
Andy Butler - 13 Nov 2018
There are webdesigners who are involved in developing websites which are used to market for work they cannot do

Their ISO 9001 complaints management system instead geared to cover up fraud, deception and even data theft

Candace Young - 19 Nov 2018
"don't ignore the non-security patches; applying them promptly will mean your system is ready to receive security patches as soon as they are available, and it will remain in support for a longer period of time."

No, a "patch" bears no relation to the length of time a version is supported. You only get longer support if you "upgrade", which is rather different. In the example you give, Drupal 6, you need to rewrite most of your site from scratch to get the longer support of Drupal 7 or 8.

The advice I'd like you to give is on automated updates. Many suppliers update your CMS regularly. If they don't then it is a red flag.

Also, can you weigh up the benefits and drawbacks of snyk/dependabot etc which can automate updating software dependencies. Should you trust the likes of these? Can possibly do without them, the rate new releases come out?

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No