Public services are grappling with a “severe” and accelerating cyber threat, as outlined in a report from the National Audit Office (NAO). The public spending watchdog warns that unless urgent action is taken, both government operations and critical public services could be at risk of significant damage.
The NAO conducted a detailed evaluation of whether the government is keeping pace with the evolving cyber risks posed by hostile actors. Its findings, however, point to considerable vulnerabilities in the UK’s resilience, particularly across ageing IT systems and gaps in specialised cyber skills.
Public services have widespread vulnerabilities
A key focus of the report is the government’s new cyber assurance scheme, GovAssure, which assesses the resilience of critical departmental IT systems.
By August 2024, GovAssure had independently assessed 58 systems, uncovering “significant gaps” in cyber resilience and “low levels of maturity” in fundamental security controls across multiple departments.
Legacy IT systems remain a particular concern. As of March 2024, at least 228 outdated systems were still in use across government departments. Worryingly, the government lacks crucial data on how vulnerable these systems are to cyber attacks.
The consequences of cyber vulnerabilities are starkly illustrated by recent high-profile incidents.
For example, a June 2024 cyber attack on a supplier of pathology services caused widespread disruption across south-east London NHS trusts—resulting in the postponement of over 10,000 outpatient appointments and 1,710 elective procedures.
Meanwhile, the British Library – which suffered a cyber attack in October 2023 – has already spent £600,000 on recovery work and anticipates significantly larger costs as efforts continue.
These attacks are not isolated but indicative of a broader trend.
Progress, but not fast enough
Successive UK governments have aimed to bolster cyber resilience over the past decade. January 2022 saw the publication of the Government Cyber Security Strategy, which set a target of having key organisations “significantly hardened to cyber attacks by 2025.”
However, the NAO report criticises the pace of progress, noting that improvements in cyber resilience have not been sufficient to meet the looming deadlines.
A critical barrier is the severe shortage of cyber specialists within government. The NAO report highlights alarming statistics from the 2023-24 period:
- One in three cyber security roles was either vacant or filled by temporary staff.
- Vacancy rates exceeded 50% in several departments.
- 70% of specialist security architects were employed as contingent labour.
Departments flagged restrictive civil service recruitment processes and uncompetitive salaries as the primary challenges in attracting and retaining cyber expertise. Without a robust in-house workforce, the government is heavily reliant on temporary staff—raising concerns about continuity and institutional knowledge in tackling long-term cyber threats.
Lack of coordination and accountability
The report also identifies structural issues in the government’s approach to cyber security. There is insufficient clarity around the respective roles and responsibilities of departments and organisations such as the National Cyber Security Centre (NCSC).
This lack of coordination risks undermining a unified defence against increasingly sophisticated cyber threats.
Adding to these challenges are financial constraints. Budget pressures have caused some departments to scale back on cyber resilience measures.
By March 2024, 53% of legacy IT assets (120 out of 228) lacked fully-funded remediation plans, leaving these systems exposed. Notably, underinvestment in technology and cyber defences was a key factor in the British Library’s cyber incident.
The NAO calls on the government to act decisively within urgent timelines. It recommends the following steps:
Within six months:
- Develop, circulate, and adopt a cross-government implementation plan for the Government Cyber Security Strategy.
- Define how government operations must transform to achieve the strategy’s goals for cyber security and resilience.
Within one year:
- Create and implement plans to address workforce gaps in cyber skills.
Gareth Davies, Head of the NAO, said: “The risk of cyber attack is severe and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow.
“To avoid serious incidents, build resilience, and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.”
However, Davies notes three key challenges must be overcome for the government to effectively close the gap:
- Address the chronic cyber skills shortage.
- Clarify accountability for cyber risk.
- Manage legacy IT risks more effectively.
Rise of quantum threats
The report aligns with wider industry concerns over emerging cyber threats.
Chris Erven, CEO and co-founder of KETS Quantum Security, commented: “The tech industry seems convinced quantum computers are two decades away. Realistically, the first will come online in the next five years. The only question is which country will develop one first.”
Erven warned that current encryption systems, used to secure everything from financial transactions to sensitive government data, could become obsolete almost overnight once quantum computers are operational.
“Once the first quantum computer is live, the encryption that keeps emails, instant messages, and financial transactions secure will become irrelevant.”
In this scenario, unprepared organisations – including public sector bodies – could face catastrophic breaches of trust. Erven urged immediate action to incorporate quantum-secure technologies into current infrastructures.
A wake-up call for public services
The NAO report serves as a wake-up call for the UK government. Rapid advances in cyber threats – compounded by insufficient cyber defences, inadequate resources, and outdated systems – are placing public services at risk. With attacks already disrupting healthcare, cultural institutions, and other public services, the cost of inaction is becoming alarmingly clear.
Strengthening resilience will require not just technical upgrades but a transformation of recruitment practices, clearer interdepartmental accountability, and sufficient funding to address vulnerabilities. Whether the government can meet its 2025 targets will depend on its ability to mobilise resources and implement recommendations swiftly.
Nathaniel Jones, VP, AI & Security Strategy at Darktrace, said: “The NAO’s findings highlight both challenges and opportunities in UK government cybersecurity. While departments are actively working to harness AI solutions, they’re also managing complex legacy IT systems that require careful attention. The findings that 58 critical systems need strengthening provides a clear roadmap for improvement.
“The Government now has an opportunity in its upcoming Cyber Security and Resilience Bill and national procurement statement to upgrade the UK’s defences for a modern age. As we enter an era where AI is compounding offensive cyber capabilities, government departments will need to fundamentally upgrade their security approaches to safely harness modern day solutions for better public services.
“This isn’t just about patching existing systems – it’s about building security architectures that can adapt to the future landscape.”
(Image by Mac Kenzie)
See also: Critical infrastructure in crosshairs as ransomware attacks soar
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
👇Follow more 👇
👉 bdphone.com
👉 ultractivation.com
👉 trainingreferral.com
👉 shaplafood.com
👉 bangladeshi.help
👉 www.forexdhaka.com
👉 uncommunication.com
👉 ultra-sim.com
👉 forexdhaka.com
👉 ultrafxfund.com
👉 bdphoneonline.com
👉 dailyadvice.us