The British Government Faces Severe Cyber Threats

Uploaded on 2025-02-04 in FREE TO VIEW

The cyber threat to UK government is severe and advancing quickly and the government must act now to protect its own operations and key public services, according to a new report published by the public spending watchdog The National Audit Office (NAO).

The NAO evaluated whether government was keeping pace with the rapidly evolving cyber threat it faces from hostile actors.

It identified that the government’s new cyber assurance scheme, GovAssure, which independently assessed 58 critical departmental IT systems by August 2024, found significant gaps in cyber resilience with multiple fundamental system controls at low levels of maturity across departments.

At least 228 ‘legacy’ IT systems were in use by departments as of March 2024, and the government does not know how vulnerable these systems are to a cyber attack. 

If successful, cyber attacks can have devastating effects on government organisations, public services, and people’s lives. Recent such incidents include:-

  • In June 2024, a cyber attack on a supplier of pathology services to the NHS in south-east London led to two NHS foundation trusts postponing 10,152 acute outpatient appointments and 1,710 elective procedures.
  • The British Library, which experienced a cyber attack in October 2023, has already spent £600,000 rebuilding its services and expects to spend many times more as it continues its recovery. Under-investment in technology and cyber was a key factor in the British Library cyber incident.

Successive governments have been working for at least a decade to build the UK’s cyber resilience, including publishing a strategy for improving government organisations’ cyber security in January 2022. This strategy included a target for key government organisations to be “significantly hardened to cyber attack by 2025”. But government has not improved its cyber resilience fast enough to meet this aim.

Reason for this is shortages of cyber skills within government in 2023-24:

  • one in three cyber security roles in government were vacant or filled by temporary staff (contingent labour).
  • more than 50% of cyber roles in several departments were vacant.
  • 70% of specialist security architects in post were temporary staff.

Departments reported that the salaries they can pay and civil service recruitment processes are barriers to hiring and keeping people with cyber skills. Other concerns include a lack of coordination within government jeopardising effective cyber defence. The respective roles of departments and organisations at the centre, such as the NCSC, are insufficiently understood.

Government departmental leaders have not consistently recognised the relevance of cyber risk to their strategic goals.

Financial pressures have also meant that some departments have significantly reduced the scope of their work to build cyber resilience, which could increase the severity of an attack when it happens. In March 2024, departments did not have fully funded plans to remediate around half of government’s legacy IT assets (53%, or 120 out of 228), leaving these systems increasingly vulnerable to cyber attack.

The NAO is urging the government to act now to build its cyber capabilities and defences. It recommends that the following actions be taken within the next six months:

  • Develop, shares and starts using a cross-government implementation plan for the Government Cyber Security Strategy.
  • Sets out how the whole of government needs to operate differently, and what is needed for this transformation to be effective, so that it can achieve its goals for government cyber security and resilience.
  • Within the next year: make and enact plans to fill cyber skills gaps in workforces.

“The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow... To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces...

“The government will continue to find it difficult to catch up until it successfully addresses the longstanding shortage of cyber skills; strengthens accountability for cyber risk; and better manages the risks posed by legacy IT.” the NAO reaport concludes.

National Audit Office   |   Independent   |   Telecoms Tech News

Image:

You Might Also Read: 

British Companies Will Spend 30% More On Cyber Security:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« PayPal Pays A Price For Exposing Customer Data
Securing Critical Infrastructure From Nation-State Threats   »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Apcon

Apcon

Apcon's mission is to provide valuable network insights that enable security and network professionals to monitor, secure and protect their data in both physical and virtual environments.

L J Kushner & Associates

L J Kushner & Associates

L.J. Kushner is a leading Information Security recruiting firm.

D-Fence

D-Fence

D-Fence high availability security service protects corporate email communication, the company and it's employee's against cyber threats.

Cyber Security Research Centre - University of Cardiff

Cyber Security Research Centre - University of Cardiff

Cardiff University's Centre for Cyber Security Research is a leading UK academic research unit for cyber security analytics.

Securely

Securely

Securely Ltd. is an IT consulting and services firm specializing in PKI solutions and products.

CYE

CYE

Utilizing data, numbers, and facts, CYE helps security leaders know what business assets are at risk and execute cost-effective remediation projects for optimal risk prevention.

Greensafe IT

Greensafe IT

Greensafe offer various onsite and offsite data erasure services, aimed at increasing data security whilst reducing any risk of data loss during transit.

CyCognito

CyCognito

CyCognito empowers companies to take full control over their attack surface by uncovering and eliminating the critical security risks they didn't even know existed.

Pinpoint Search Group

Pinpoint Search Group

Pinpoint Search Group's recruiters specialize in Information Management, Cyber Security, Cloud and Robotic Process Automation (RPA).

Cyberspace Solarium Commission (CSC)

Cyberspace Solarium Commission (CSC)

The Cyberspace Solarium Commission was established to develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.

Drip7

Drip7

Drip7 is a micro-learning platform that is re-inventing the way companies train their employees and build lasting cultural change around the importance of cybersecurity.

Comparitech

Comparitech

Comparitech strives to promote cyber security and privacy for all. We are committed to providing detailed information to help our readers become more cyber secure and cyber aware.

Xscale Accelerator

Xscale Accelerator

Xscale's vision is to create world-class startups out of India by transforming sales and providing access to global markets.

Axient

Axient

Axient advances defense and civilian missions from aerospace to cyberspace with multi-domain test and analysis, mission engineering and operations, and advanced technologies.

Fivecast

Fivecast

Fivecast is enabling a safer world. We help organizations around the world explore masses of data to uncover actionable insights.

Rapifuzz

Rapifuzz

At Rapifuzz, our goal is to help organizations test and secure their APIs enabling trust, innovation and Seamless Secured Digital Experiences.

CIP Cyber

CIP Cyber

CIP Cyber is an online learning community with a mission of connecting, training, and certifying cybersecurity professionals to protect critical infrastructure.