Introduction
The UK government is currently grappling with a complex and rapidly evolving landscape of cyber threats. A recent report by the National Audit Office (NAO) highlights significant vulnerabilities in the government’s cyber resilience [3], necessitating immediate and comprehensive action to safeguard its operations and public services.
Description
The NAO assessed the government’s ability to keep pace with threats from hostile actors and identified significant gaps in cyber resilience across departments [4]. Notably, 58 critical government IT systems were found to have substantial deficiencies, with many fundamental system controls rated at low maturity levels [1]. As of March 2024 [1] [2] [4], at least 228 legacy IT systems remain in use [1] [4], with no fully funded remediation plans in place for 53 percent of these assets, indicating that the goal of significantly hardening critical functions against cyberattacks by 2025 is likely unattainable.
The GovAssure scheme has been criticized for its inadequate assessment of the government’s cybersecurity posture, revealing low maturity levels in key areas such as asset management and response planning. Furthermore, the Government Security Group (GSG) has faced scrutiny for lacking effective mechanisms to evaluate the efficacy of its cybersecurity strategies. A persistent shortage of cyber skills within the workforce exacerbates these challenges, with one in three cybersecurity positions unfilled or occupied by temporary staff [2], leading to increased costs and difficulties in managing cyber risks.
Recent cyber incidents have underscored the urgency of these issues, including a June 2024 attack on a pathology services supplier to the NHS [4], which resulted in the postponement of over 10,000 appointments and procedures [4]. Additionally, the British Library experienced a cyber attack in October 2023 [4], incurring recovery costs of £600,000, attributed to under-investment in technology and cybersecurity [4].
Despite efforts over the past decade to bolster cyber resilience [4], including a 2022 strategy aimed at significant improvements by 2025, progress has been insufficient [1] [4]. The competition for cybersecurity talent has intensified [3], as government departments struggle to attract skilled professionals amid competition from well-funded private sector organizations [3]. Financial constraints have further hampered efforts to enhance cyber resilience, leaving many legacy IT assets vulnerable [4].
The NAO urges the government to take immediate action to strengthen its cyber capabilities [4], emphasizing the need to address the long-standing shortage of cyber skills within the workforce. The report recommends that the GSG develop a cross-government implementation plan within six months and outline necessary operational changes by early 2025 [2]. Individual departments are also encouraged to enhance their governance and accountability regarding cyber risks and align with the GSG’s skills strategy to fill existing gaps [2]. The head of the NAO reiterated the severity of the cyberattack risk and the slow progress in addressing it [2], underscoring the urgency of adopting a modern approach to cybersecurity to prevent serious incidents and protect the integrity of government operations.
Conclusion
The report by the NAO highlights the critical need for the UK government to address its cybersecurity vulnerabilities. Immediate action is required to mitigate the risks posed by cyber threats, particularly through enhancing cyber skills and implementing effective governance strategies. The future implications of failing to address these issues are severe, potentially compromising the integrity of government operations and public services. The government must prioritize the development of a robust cybersecurity framework to safeguard against future threats and ensure resilience in the face of evolving cyber challenges.
References
[1] https://insight.scmagazineuk.com/more-gloom-for-uk-cyber-or-future-opportunities
[2] https://www.civilserviceworld.com/professions/article/huge-staffing-gaps-in-cyber-teams-nao-finds
[3] https://assured.co.uk/2025/whats-wrong-with-the-governments-security-posture-and-how-do-we-fix-it/
[4] https://www.cybersecurityintelligence.com/blog/the-british-government-faces-severe-cyber-threats–8220.html
