Cyber Risk
Policy Shortfalls Put UK Public Sector Cybersecurity at Risk
Our latest research reveals that fragmented regulatory guidance and unclear internal policies are leaving UK public sector organisations increasingly exposed to cyber threats.
Save to Folio
Our latest research reveals that fragmented regulatory guidance and unclear internal policies are leaving UK public sector organisations increasingly exposed to cyber threats. I have seen first-hand how these gaps compromise our ability to safeguard critical public services. In an independent survey of 250 IT leaders with direct cybersecurity responsibilities, we discovered that too many governing bodies and overly complex procedures have clouded our understanding of best practices, leading many organisations to operate with weakened cyber defences.
Nearly one-third of those surveyed admitted that ambiguous internal policies are undermining their security strategies, while almost a quarter fear that these shortcomings could directly result in data breaches or cyber incidents. I share these concerns, particularly when 68% of our peers believe that current government policies do not establish the minimum security standards necessary for protecting public services and their suppliers. Frameworks like G-Cloud, for example, have been criticised for failing to help us select vendors with robust cybersecurity credentials.
In general, we remain cautiously optimistic about the potential of the new Cyber Assessment Framework (CAF) as a transformative tool. I see it as a promising way to benchmark cyber risks and forge stronger partnerships that enhance resilience across the public sector. However, the journey to a secure future is not without its challenges. Many organisations are so focused on managing immediate threats that they struggle to develop long-term cyber strategies, and funding limitations are a significant barrier to investing in essential security awareness and training.
What troubles me most is the persistent mindset in boardrooms, where cybersecurity is often relegated to a mere tick-box exercise rather than being recognised as a business-critical risk. In my view, this oversight is unacceptable. Recent cyber-attacks have exposed the vulnerability of our public services—from compromised streetlight systems in local councils to ransomware attacks on NHS suppliers that have led to cancelled and delayed blood tests. The Synnovis ransomware incident, in particular, serves as a stark reminder that the consequences of cyber incidents extend far beyond data breaches; they have real-world, life-altering impacts on people’s lives.
We believe that a strategic overhaul of our approach to cybersecurity is urgently needed. The promise of the CAF can only be realised if there is a corresponding shift in both boardroom attitudes and funding priorities. Recognising cybersecurity as a core, business-critical risk is essential if we are to protect our public services in an increasingly digital world.