Towards the end of 2024, perspectives on the state of UK cybersecurity were not positive. It was claimed that there is a growing gap between the exposure to cyber-attacks and threats, and the UK’s ability to defend and be resilient to attacks would not be successful.

Those claims, from the NCSC’s 2024 Annual Review, were echoed in a recent report from the National Audit Office which stated that the cyber threat to UK government is severe and advancing quickly, and despite work by “successive governments for at least a decade to build the UK’s cyber resilience,” the UK has not improved its cyber resilience fast enough to meet this aim.

Significant Gaps

The numbers did not make pretty reading: the NAO identified that the government’s cyber assurance scheme - GovAssure - which independently assessed 58 critical departmental IT systems by August 2024, found significant gaps in cyber resilience with multiple fundamental system controls at low levels of maturity across departments.

At least 228 ‘legacy’ IT systems were in use by departments as of March 2024, and the government has no way of knowing how vulnerable these systems are to a cyber-attack.

The reasons were laid clear: 

• A shortage of cyber skills within government, where one in three cybersecurity roles in government were vacant or filled by temporary staff in 2023-24
• A lack of coordination within government jeopardising effective cyber defence
• Financial pressures means that some departments have significantly reduced the scope of their work to build cyber resilience
• No fully funded plans to remediate 53 percent of government’s legacy IT assets

Not easy spots to resolve, and some that are a persistent problem for businesses in the private sector too. Commenting, James Morris, chief executive at the CSBR, called the findings “sobering reading,” and “reinforce the urgent need for radical policy thinking to ensure that cybersecurity and resilience sit at the heart of what government does.”

Miss the Point

In an email to SC UK, Ian Stretton, director at Green Raven, said the finger being pointed at the high levels of vacancies and a skills shortage “is, I think, to miss the point.”

He claims the broader problem is that any cybersecurity strategy - whether at national or organisational level - that relies substantially on building more, more sophisticated technological defences around assets is, ultimately, doomed to fail.

“A frank, honest discussion is urgently needed, about how the whole of government can use new and emerging cybersecurity technology to understand where attacks are most likely to land, and about how resources can be efficiently deployed at such points to repel attacks,” he says.

Opportunities

So is it all doom and gloom for UK cyber? Nathaniel Jones, VP, AI and security strategy at Darktrace said that the Government now has an opportunity in its upcoming Cyber Security and Resilience Bill and national procurement statement to upgrade the UK's defences for a modern age.

“As we enter an era where AI is compounding offensive cyber capabilities, government departments will need to fundamentally upgrade their security approaches to safely harness modern day solutions for better public services,” Jones said. “This isn't just about patching existing systems - it's about building security architectures that can adapt to the future landscape.”

We can see that UK cyber is under attack, and while some incidents over the past year have hit hard, others such as Salt Typhoon hit the UK’s strongest allies. Does it all need to be so negative though? As Jones said, there is a focus on ensuring the security of the UK with the upcoming Bill, and all steps forward should be considered to be a positive step.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.