The UK government’s ability to withstand a “growing cyber threat” is lower than anticipated, according to the National Audit Office (NAO). The government spending watchdog revealed that while the cyber threat is “severe and advancing quickly”, government departments have significant gaps in their system controls that it says are fundamental to cyber resilience. On top […]
The UK government’s ability to withstand a “growing cyber threat” is lower than anticipated, according to the National Audit Office (NAO).
The government spending watchdog revealed that while the cyber threat is “severe and advancing quickly”, government departments have significant gaps in their system controls that it says are fundamental to cyber resilience.
On top of this, the report highlighted the presence of “hundreds of ageing legacy IT systems,” many of which are even more vulnerable. It also noted that half of these at-risk systems have no funded remediation plans, and that the government is facing a shortage of cyber skills.
In 2023/24, the report found that more than half of roles in several departments’ cyber security teams were vacant, and as of March 2024, at least 228 “legacy IT systems” were in use.
The NAO concluded that the government will likely fall short of its goal to make its “critical functions” resilient to cyber attacks by 2025. Although the government has started work to implement a cyber strategy, it pointed out that “progress is slow and cyber incidents with a significant impact on Government and public serves are likely to happen regularly.”
It urged the Government to “catch up with the acute cyber threat it faces.”
“The government will continue to find it difficult to do so until it successfully addresses the long-standing shortage of cyber skills, strengthens accountability for cyber risk, and better manages the risks posed by legacy IT,” the report stated.
Geoffrey Clifton-Brown MP, chairman of the Public Accounts Committee, said: “We have seen too often the devastating impact of cyber attacks on our public services and people’s lives.
“Despite the rapidly evolving cyber threat, the Government’s response has not kept pace. Poor coordination across Government, a persistent shortage of cyber skills, and a dependence on outdated legacy IT systems are continuing to leave our public services exposed.
“Today’s NAO report must serve as a stark wake-up call to Government to get on top of this most pernicious threat.”
Dominic Trott, director of strategy and alliances at Orange Cyberdefense UK, remarked on the findings, emphasising the need for comprehensive cyber readiness. “Institutions, whether governmental or otherwise, must ensure they understand the evolving ecosystem of cyber extortion incidents and how to alleviate the risk,” he said.
“It is imperative that government departments develop well-defined incident response plans, should the worst happen, to ensure a continuation of services.”
Trott added: “To build readiness for cyber resilience into the UK’s public sector and critical national infrastructure, there needs to be investment in areas such as comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing, and cross-framework governance.”
