Cyber Crime
The UK’s Cyber Resilience Challenge: Time to Get Serious
The UK government knows that cyberattacks are one of the most dangerous threats facing the country today. The latest National Risk Register puts cyber threats on the same level as pandemics and other national crises—because, in a world that is only becoming more digital, the risks are only intensifying.
Save to Folio
And yet, despite this clear and present danger, a National Audit Office (NAO) report on government cyber resilience paints a deeply concerning picture. The government has been unable to quantify how vulnerable 228 legacy IT systems are, the cybersecurity skills gap is widening, and cybersecurity funding is being squeezed by other government priorities. This isn’t just a hypothetical problem—it’s a real-world crisis waiting to happen.
A Government at Risk
The numbers don’t lie. Between September 2023 and August 2024, the National Cyber Security Centre (NCSC) managed 89 “nationally significant” cyberattacks. That means nearly 90 serious threats that had the potential to disrupt critical national infrastructure, government operations, and even essential public services like healthcare.
The Synnovis NHS supply chain attack was a wake-up call. Patient harm occurred because an attack compromised healthcare services. That’s the human impact of poor cyber resilience. Cyberattacks aren’t just about data breaches and financial losses—they put lives at risk.
The NAO report also shines a light on an issue that cybersecurity experts have been shouting about for years: the UK government is critically short on cybersecurity talent. More than 50% of cyber roles in key government departments remain vacant. That’s an unacceptable failure.
At the same time, the government is pushing ahead with AI as a driver of economic growth, but AI also expands the attack surface, creating new vulnerabilities. Without the right cybersecurity expertise in place, the UK is heading into uncharted—and highly dangerous—territory.
The Cyber Security & Resilience Bill: A Step in the Right Direction
The government is finally showing signs of taking cybersecurity seriously. The Cyber Security & Resilience Bill, expected to pass in 2025, aims to boost national cyber resilience. But good intentions aren’t enough.
The NAO report warns that “funding of other priorities has reduced the scope of cyber security work,” meaning that when the next big attack happens, it could be far more severe than it needs to be. With the spending review looming, cybersecurity cannot be treated as an afterthought.
Leadership Must Step Up
Perhaps one of the most damning findings in the NAO report is that government department leaders don’t always recognise cyber risk as a strategic priority. Many of the most senior decision-making boards have no cybersecurity expertise at all.
That’s a recipe for disaster. Cybersecurity isn’t just an IT issue—it’s a business continuity issue, a national security issue, and a public safety issue. Without digital leaders at the table, government departments will continue to be reactive rather than proactive, leaving the UK dangerously exposed.
The government needs to ditch the outdated, compliance-driven approach to cybersecurity. Static risk assessments and tick-box exercises won’t cut it in today’s threat landscape. Instead, what’s needed is:
- Real-time risk assessment across departments, identifying vulnerabilities dynamically rather than through outdated audits.
- Technology investment to highlight risks in an easy-to-digest format for boards, so decision-makers actually understand the threats they’re facing.
- Automated mitigation strategies that improve cyber resilience continuously, rather than waiting for the next disaster.
Cybersecurity is never “done.” It requires constant vigilance, investment, and leadership. The government has acknowledged the threat—now it’s time to act before it’s too late.