Public services face a growing and serious cyber threat, according to a report from the National Audit Office (NAO). The watchdog warns that unless urgent action is taken, government operations and vital public services could suffer significant damage.
The NAO evaluated whether the government is keeping pace with evolving cyber risks from hostile actors and found substantial weaknesses in the UK’s resilience. The report highlights particular concerns around ageing IT systems and gaps in specialised cyber skills.
Widespread vulnerabilities across public services
A central element of the report is the government’s cyber assurance scheme, GovAssure, which assesses the resilience of critical departmental IT systems. By August 2024 GovAssure had independently examined 58 systems and revealed “significant gaps” in cyber resilience and generally low maturity in basic security controls across several departments.
Legacy IT systems are a major problem. As of March 2024, at least 228 outdated systems remained in use across departments, and the government lacks reliable data on how vulnerable many of these systems are to cyber attack.
Recent incidents underscore the real-world consequences. A June 2024 attack on a pathology supplier disrupted services across south-east London NHS trusts, resulting in the postponement of more than 10,000 outpatient appointments and 1,710 elective procedures. The British Library, hit by a cyber incident in October 2023, has already spent £600,000 on recovery and expects further significant costs.
These are not isolated events but part of a broader upward trend in attacks on public-sector systems.
Progress is being made, but not fast enough
The government has sought to improve cyber resilience over the last decade. Its 2022 Government Cyber Security Strategy set a target to have key organisations “significantly hardened to cyber attacks by 2025.”
The NAO finds that progress to date is insufficient to meet that goal. A major constraint is the severe shortage of cyber specialists across government. Key findings for 2023–24 include:
- One in three cyber security roles was either vacant or occupied by temporary staff.
- Vacancy rates exceeded 50% in several departments.
- Seventy percent of specialist security architects were engaged as contingent labour.
Departments cite restrictive civil service recruitment processes and uncompetitive pay as major barriers to attracting and retaining skilled staff. The reliance on temporary workers raises concerns about continuity and institutional knowledge needed to tackle long-term cyber threats.
Coordination, accountability and funding gaps
The report also identifies structural weaknesses in the government’s cyber approach. Roles and responsibilities among departments and bodies such as the National Cyber Security Centre (NCSC) are not sufficiently clear, which risks weakening a coordinated defence against sophisticated threats.
Financial pressures compound the problem. Budget constraints have forced some departments to reduce cyber resilience measures. By March 2024, 53% of legacy IT assets (120 of the 228 identified) lacked fully funded remediation plans, leaving them exposed. The NAO notes underinvestment in technology and cyber defences was a factor in the British Library incident.
To address these issues, the NAO urges the government to act swiftly and recommends specific timelines:
Within six months:
- Develop, circulate and adopt a cross-government implementation plan for the Government Cyber Security Strategy.
- Define how government operations must change to meet the strategy’s cyber security and resilience objectives.
Within one year:
- Create and implement plans to close workforce gaps in cyber skills.
Gareth Davies, Head of the NAO, warned: “The risk of cyber attack is severe and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow. To avoid serious incidents, build resilience, and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.”
Davies highlights three core challenges that must be addressed: resolving the chronic cyber skills shortage, clarifying accountability for cyber risk, and managing legacy IT risks more effectively.
Emerging quantum threats
The report also reflects wider industry concerns about future threats such as quantum computing. Chris Erven, CEO and co-founder of KETS Quantum Security, warns that quantum computers could arrive sooner than many expect and would break current encryption systems used to protect government and commercial data.
Erven says that once a viable quantum computer is operational, commonly used encryption methods could be rendered obsolete, exposing sensitive communications and transactions. He urges organisations—including public bodies—to begin integrating quantum-resistant technologies into existing infrastructures now to avoid catastrophic breaches in the future.
A wake-up call for public services
The NAO’s findings are a clear wake-up call: rising cyber threats, combined with outdated systems, insufficient funding and staff shortages, put public services at increasing risk. Recent attacks have already disrupted healthcare and cultural institutions, demonstrating the tangible costs of inaction.
Improving resilience will require technical upgrades, reformed recruitment practices, clearer cross-department accountability and sustained investment to remediate vulnerabilities. Whether the government meets its 2025 goals will depend on how quickly it mobilises resources and implements the NAO’s recommendations.
Nathaniel Jones, VP of AI & Security Strategy at Darktrace, said the report highlights both the challenges and opportunities facing government cybersecurity. He noted that while departments are exploring AI solutions, many still operate complex legacy systems that demand careful attention. Strengthening the 58 critical systems identified by GovAssure offers a clear roadmap for improvement.
Jones added that the upcoming Cyber Security and Resilience Bill and changes to national procurement present an opportunity to modernise the UK’s defences. He emphasised that the response should go beyond short-term fixes: building adaptable security architectures will be essential to handle future threats driven by advances in AI and other technologies.
(Image by Mac Kenzie)
Want to learn more about cybersecurity and the cloud from industry leaders? Cyber Security & Cloud Expo runs in Amsterdam, California and London and is co-located with events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge.