The UK government’s plan to be “cyber resilient” by the end of 2025 looks, unfortunately, unlikely. A new report from the Public Accounts Committee (PAC) says the Cabinet Office has a lot more work to do to find the right balance between supporting departments, holding them accountable, and stepping up its own game at the heart of government.
In its report, Government Cyber Resilience, the PAC gave a mixed review. On the plus side, it gave the Cabinet Office a thumbs-up for starting to independently check how resilient critical IT systems are across departments. However, those checks showed that, overall, the government’s cyber resilience is way below where it should be. Many systems are still riddled with basic weaknesses.
The Weaknesses in Government Cyber Resilience
A deep dive in July 2024 looked at 72 critical systems across 35 departments and found serious gaps—lots of failures in risk management and incident response. Yes, it’s a step up from where things used to be, but the PAC wasn’t impressed with the pace of progress. The ongoing reliance on self-assessments to spot at-risk, outdated IT systems was one of the major concerns.
The PAC called out the lack of independent checks on these legacy systems, which make up around 28% of the public sector’s IT, according to the Department for Science, Innovation and Technology (DSIT). They said it’s worrying that the government doesn’t have a full handle on how many legacy systems are out there, making it impossible to manage the risks properly.
The report also pointed fingers at government departments for not taking cyber security seriously enough—and said the Cabinet Office hasn’t exactly made things easy, thanks to a lack of clear guidance. Across Westminster, it seems a lot of people are underestimating just how serious the threat is, and their decisions don’t reflect the urgency needed. The report stressed that every department needs to make sure its security leaders are involved at the top levels where big decisions are made.
Cyber Talent Shortage
The PAC didn’t hold back when it came to the issue of hiring, either. They criticised the government for being too stingy with salaries, making it hard to attract top cyber security talent. Even though the government has grown its digital workforce to around 23,000 people, one in three cyber security roles are either empty or being filled by external contractors.
The committee warned that unless the government gets realistic about pay, it’s going to struggle to recruit and keep the best people. They also highlighted the need for departments to have digital and security leaders at the top table, pointing out that many still don’t fully grasp the seriousness of the cyber threat or prioritise it properly.
Conclusion
In general, the report paints a picture of a government struggling to keep up with the rising tide of cyber threats. It pointed to recent attacks like the 2023 ransomware hit on the British Library, the 2024 incident at NHS supplier Synnovis, and the ongoing supermarket attacks as proof that the threat landscape is only getting more dangerous.
We hope you’ve liked this blog and stick around to see our future releases. We cover everything from recent IT News to Knowledgebase articles. Stay safe!
