By Conor O’Neill
The public sector is one of the most vulnerable industries to cyber-attacks due to the sensitive information it holds and often limited resources dedicated to cyber safety. Recent years have seen a spike in public sector attacks.The government’s Department for Science, Innovation and Technology Cyber Security Breaches Survey 2024 reported that 50% of organisations had experienced some form of cyber security breach or attack in the last 12 months.
The report highlights a decline in the number of organisations that have dedicated board members or trustees with responsibility for cyber security, falling from 38% in 2021 to 30% in 2024. This reduction in senior responsibility has been reported to impact how organisations challenge and improve their approaches as well as the sign-off process for securing new measures.
The findings from the most recent government report show that cyber security remains a critical concern for the UK public sector.
Why is the public sector struggling to protect against cyber-attacks?
The National Audit Office found that 58 critical government IT systems independently assessed in 2024 had significant gaps in cyber resilience, and the government does not know how vulnerable at least 228 ‘legacy’ IT systems are to cyber-attack.
Skills gaps are also the biggest risk to building cyber resilience, with one in three cyber security roles in government vacant or filled by temporary staff in 2023-24.
Financial pressures have also meant that some departments have significantly reduced the scope of their work to build cyber resilience, which could increase the severity of an attack when it happens. In March 2024, departments did not have fully funded plans to remediate around half of the government’s legacy IT assets (53%, or 120 out of 228), leaving these systems increasingly vulnerable to cyber attacks. Under-investment in technology and cyber was a key factor in the British Library cyber incident.
Budget constraints
One of the biggest obstacles to improving cybersecurity in the public sector is limited financial resources. Unlike private companies, which often have larger budgets dedicated to security investments, many government agencies and public institutions operate under tight fiscal constraints. This lack of funding and budget cuts can result in outdated security infrastructure, inadequate monitoring systems, and insufficient incident response capabilities, leaving public sector organisations vulnerable to cyber threats.
Skills Gaps and Staff Shortages
Cybersecurity requires highly skilled professionals who can detect, prevent, and respond to cyber threats effectively. However, there is a significant skills gap in the cybersecurity industry, and public sector organisations often struggle to attract and retain top talent. The shortage of skills to combat security breaches has become urgent, especially within sectors that deal with sensitive data.
Lack of awareness
Cybersecurity is not just a technological issue; human error remains one of the biggest causes of data breaches. Many employees in the public sector lack proper cybersecurity training, making them susceptible to phishing attacks, social engineering tactics, and poor password practices. Without regular awareness programs and training, organisations remain at risk of cyber threats.
How can the public sector improve its cyber safety?
Having a robust security strategy is essential to protect public sector organisations from increasing cyber threats. As threats continually evolve it is crucial to continually improve and adapt your cyber security measures.
Implement Zero Trust Security Models
Across all sectors, remote and hybrid working has become the norm – even for the public sector. However, an increase in working from home brings a new set of risks. The ‘implicit trust’ we extended across our networks and to internal users is being used against us, with attacks that could expose critical data or cause network failure.
A zero-trust approach assumes that threats exist both outside and inside an organisation. This means you need to have controls in place to minimise the harm that they can do once they are inside. You can do this by restricting the access they have to services and information. Monitoring and logging are key to being able to detect signs of malicious activity as quickly as possible and limiting the damage they can do. Encrypting sensitive data and segmenting networks can also reduce the impact of potential breaches.
Risk Assessment
Organisations in the public sector should take a risk-based approach to implementing cyber security measures. Identify and prioritise potential risks and vulnerabilities within your organisation. This could include outdated software, weak passwords, or insufficient employee training. Develop clear policies and procedures that govern how data is secured and accessed in your organisation. Ensure that these policies are communicated effectively to all employees and regularly reviewed and updated.
Training
Education and training play a vital role in improving cybersecurity in the public sector. Regular training programs help employees recognise and respond to potential threats, such as phishing attempts and ransomware attacks. Cyber awareness campaigns and simulated attack exercises can improve response times and reduce human error, which is a major contributor to security breaches. Additionally, public sector organisations should encourage continuous learning and professional development in cybersecurity, ensuring that employees stay updated on the latest threats and best practices. By integrating cybersecurity education into workplace culture, public entities can build a more resilient and security-conscious workforce.
Digital Transformation
Modernising IT infrastructure is essential to closing security gaps in the public sector. Regularly update and patch software, firewalls, and network devices to protect against known vulnerabilities. Moving over to modern cloud-based technology can help to enhance cyber security due to its continuous updates. Using outdated technology can run the risk of minimal or discontinued updates, leaving software and systems more vulnerable to cyber-attacks.
Incident Response and Recovery
Despite the best preventive measures, cyber incidents can still occur. Having a robust incident response and recovery plan is crucial to minimise damage and quickly restore services. Organisations should regularly test and update the plan to ensure its effectiveness as well as identify employees who may need additional cyber security training. Conduct thorough investigations to understand the scope and impact of the incident. Take necessary actions to recover systems, data, and services. Learn from the incident to strengthen future security measures.
As the risk of attacks rises defending public organisations becomes even more critical. Having a robust cybersecurity incident response plan in place is not just about protecting systems and data – its about safeguarding public trust, ensuring the delivery of critical services, and complying with legal and regulatory requirements. By prioritising cybersecurity investment, addressing workforce gaps and adopting proactive security measures, the public sector can better defend itself against growing cyber-attacks.
The author is CEO and Co-Founder, OnSecurity. Views are personal.
