UK Stifles Cyber Security: Hackers Get Green Light To Attack

The UK government has given hackers the green light by making it difficult more difficult for UK organizations to use independent cyber security specialists. In an already difficult to recruit market with an acute cyber skills shortage in well qualified and experienced cyber security professionals. Legislation made mandatory to private sector recruitment on the 6th April is having far ranging consequences.

This has led to many cyber security roles typically done by independent contractors either not being filled or taking longer to fill, as finding suitable experienced candidates has become much more difficult.

Job boards are showing roles readvertised over and over again, which prior to the mandating of the legislation to the private sector were being filled quickly. The private sector is feeling the same consequences the public sector felt when it too fell in scope in April 2017.

Where many cyber security and other professionals jumped ship and left in droves, leading to an acute skills shortage. Lessons learnt from how the public sector dealt with the mandating of the new requirements have been ignored and as a consequence, similar cyber security skill shortages are being experienced.

Hackers and other malicious parties, know all too well, many UK organizations are struggling to hire cyber security talent, and this could potentially increase opportunities for them to attack these organizations.

Blanket bans on independents

Many private sector UK organizations like the leading banks have introduced blanket bans on hiring independents like cyber security professionals unless they change the way they operate and conform to new ‘pseudo employee’ ways of working without any employee benefits.

These blanket banning UK organizations are being driven by the fear generated by their own Finance, Human Resources and Risk departments to introduce blanket bans. As they perceive it makes more financial sense to do this than individually determine the status of each independent cyber security professional they deal with.

With many independents also being forced to pay employer social taxes that these organizations like banks themselves should be paying. These social taxes are as much as 14% which employers should pay but with the enforced structures these blanket banning organizations are forcing independent cyber security professionals to use. There is no way to get around independents having to pay these employer deductions.

This had led to a number of people to band together to pursue legal action against the mandated corporate structures known as umbrella companies to reclaim unlawfully deducted taxes (Umbrella Reclaim operated by law firm McFaddens).

Cyber Security roles remaining unfilled for longer

Cyber security roles done by independents are taking longer to fill, ending up being open for months, as independents simply elect not to pursue these roles. These are highly specialized roles offering independent advice, consultancy, technical skills which can’t be filled quickly by using existing employees due to a skills gap.

Hiring permanent employees is not an option either to fill these roles, as these roles are temporary in nature and it would be difficult to get rid of a permanent employee once the work had been completed without breaking strict employment laws.

Sit it out or jump ship

Many leading independent cyber security professionals have elected to ‘sit it out’ and wait for suitable opportunities from organizations who are not operating blanket bans. This approach has led to an even more acute cyber skills shortage, as the number of available highly skilled independent cyber security professionals has dropped significantly.  

Other independent cyber security professionals have elected to temporarily conform to these blanket bans and engage with organizations operating these blanket bans but ‘jump ship’ as soon as work opportunities arise at organizations not operating blanket bans.

The consequence of jumping ship is disruption to these organizations as they try to hire replacements and have to dip back into a market where cyber security professionals are already reticent to join organizations operating blanket bans.

UK Government Incompetence

The blanket bans have been as a consequence of the status determination tool used by the Governments tax collection department (HMRC). This tool has been developed to provide a status determination by going through a checklist of questions about the role to how the independent carries out their duties and operates.

This tool should be used by all organizations to determine if any independent contractors are operating inside the scope of the legislation. With those who fall outside the scope of the legislation, perfectly fine to operate as they have been for years.

Unfortunately, the status determination tool has been described as flawed by many leading experts for:

  • Ignoring Mutuality of Obligation (MOO)
  • Using a simple checklist approach to a complex tax issue
  • Using ambigious questions, leading to potential misinterpretation
  • Contradicting guidance notes provided when answering the questions

Worse still, HMRC have challenged previous determinations made when applied to the public sector, with the UK National Health Service (NHS) being liable for £4.3 million in tax payments, even though the NHS used the status determination tool for all contractors they hired.

This had led to many organizations deciding not to use the status determination tool and instead apply a ‘knee-jerk’ reaction by banning independents unless they operate as ‘pseudo employees’.  

The UK Goverments tax collection department also losing many high profile status determination cases where their judgement has been criticized by courts.

Independents anger

Many independents are angry at the blanket ban approach used by many organizations where they have decided to treat independents in this way without considering how many of these independents operate, perfectly legally outside the scope of this mandatory legislation.

Many of these independents have successfully done their own determinations using specialized experts and can easily validate their claims of operating outside the scope of the legislation. However, these determinations are simply being ignored by organizations who have elected to have a ‘one size fits all’ approach to all independents.

Many are also angry at the UK government for not targeting larger corporations who actively abuse tax regulations by using sophisticated schemes that are costing the UK tax payers billions of pounds in potential revenue each year. Instead it almost feels like a ‘witch hunt’ against smaller independents instead of going after the bigger fish.

40% drop in income

Many independent cyber security professionals are facing the prospect of a 40% drop in their income even though they legally operate outside the scope of the legislation, as hirers are not engaging with them as before. As they are being forced to operate using umbrella companies and being taxed incorrectly as a result.

This drop in income is not compensated by any employee perks as these new structures don’t compensate for holiday pay, sick pay and other benefits. Any of these benefits are derived directly from the income generated by the independent and not paid for by the organization hiring them.

Other costs like training which independents have long paid for themselves could end up being shelved due to lower income streams and as a result many independents may find it difficult to keep their skills updated.

Missing out on lower costs

The blanket banning organizations pigheadedness means many are missing out on reducing the cost of hiring cyber security professionals. As many independents have reduced their rates for roles outside of the scope of the legislation but organizations still won’t hire them unless they ‘go inside’ the scope of the legislation even though they may be clearly outside the scope of the legislation.

With many independents dropping rates by as much as 40% to remain outside the scope of the legislation subject to being assessed accordingly. However many organization hirers have their ‘hands tied’ as they are unable to do individual determinations because the blanket policy on hiring is coming from finance directors, human resource directors to the risk directors.

Outsourcing won’t compensate

Some organizations have decided to try to outsource their cyber security project requirements to outsourcers. These outsources are told they can’t use independents to work on any projects they’re engaged on with the organization.

Making it just as difficult for these organizations to find suitable candidates but more so on reduced margins as they need to consider the rate card offered. Which requires an overhead to cover administrative costs as well as realizing some profit.  

Long term damage

The shortsighted approach by using blanket bans on hiring independent cyber security experts has long term consequences. As getting people with security skills early on in any project means costs to fix these security issues are lower.

However, by not getting to hire suitable qualified cyber security professionals early on, then security issues could start to appear at the later stages of a project. Where the cost to fix these issues become exponentially more expensive, sometimes hideously expensive. Especially if the consequences are a breach where the organization ends up losing valuable data, like customer details and could end up with regulatory fines and penalties.

Off Payroll – IR35

Changes to the off payroll legislation also known as IR35 has pushed the liability of determining the independent contractors tax status to the organizations hiring the independent for their services from April 6th 2021.

This means organizations need to correctly assess whether an independent is operating correctly in line with tax laws and any mistakes in determining their status will mean any tax liabilities accrued by the independent contractor will fall with the organization hiring them.

This has meant many larger organizations have decided to not do any determinations at all and instead have a blanket ban on independent contractors being able to use their own personal service companies. Forcing any independent they engage with to either join the recruitment agency payroll as a temporary employee or use umbrella companies.

By forcing the use of umbrella companies, these organizations can save around 14% in employers social tax contributions which are picked up by the independent contractor using the umbrella company.

Final Thoughts

In conclusion, the UK Governments tax body, HMRC has shown incompetence in rolling out a flawed status determination tool. Forcing the hand of many UK organizations to opt to not correctly status determine independent cyber security contractors and ban them from operating perfectly legally.