UK government faces urgent cybersecurity threat crisis

The National Audit Office (NAO) is anticipated to release a report highlighting severe and rapidly evolving cyber threats faced by the UK government, necessitating immediate protective measures for critical operations and public services.

The report is expected to reveal that 58 critical government IT systems, independently assessed in 2024, had significant deficiencies in their cyber resilience.

Furthermore, there is a lack of knowledge regarding the vulnerability of 228 legacy IT systems. These findings underscore a pressing need for improvement in cyber resilience.

Megha Kumar, Chief Product Officer at the global cyber consultancy CyXcel, remarked, "The NAO report is a timely reminder and warning for UK enterprises to double down on their cybersecurity posture, given the rise in the sophistication, frequency and scope of cyberattacks against the UK. This exposure will not change since the UK has an open information society and is home to enterprises that hold vast financial wealth and lucrative strategic information."

The report will also touch upon skills gaps, noting that one in three cybersecurity roles within the government were vacant or temporarily filled in 2023-24. Kumar addressed this issue, stating, "The recent UK government proposal to ban ransomware payments, if enacted, would remove one of the tools that UK businesses frequently rely on: they take insurance cover which covers potential ransom payments and then become complacent about ways to mitigate cyber risks proactively. However, this proposal would oblige enterprises to shift from reactive to proactive cybersecurity, which is a necessary step so businesses should prepare now."

Dan Lattimer, AVP of EMEA West at Semperis, elaborated on the report's findings, "Building operational resilience into your business plans is essential to withstanding the increase of cyberattacks against public and private sector organisations and agencies."

"I'm not surprised by the findings in the new NAO report, as government agencies across the UK and the world traditionally deal with legacy technologies issues, that open gaps in infrastructure and leave systems more susceptible to being breached."

Lattimer advised government agencies to focus on the security of their identity systems, particularly Active Directory, due to its widespread use and as a common breach point for ransomware attacks. He explained, "Identity systems have become the new security perimeter and Semperis has found that in 90 percent of ransomware attacks, ransomware gangs breach the identity system. From there the threat actors control a network and the more severe the attack, it is more likely the organisation will pay a ransom."

Sam Peters, Chief Product Officer at ISMS.online, commented on the implications for public and private sector organisations, "The cost of inaction is no longer acceptable. Cyberattacks targeting critical infrastructure and public services can have devastating consequences, and not acting now will only create bigger problems for public and private sector organisations to solve in the future and likely at a much bigger cost."

Peters further criticised the reliance on legacy systems and the high number of vacancies in cyber security roles within the government, noting, "Cumulatively the skills gap and reliance on legacy systems really underscores the broader issue of underinvestment in cybersecurity."

"Organisations and government must view compliance not as a cost but as an investment in resilience, trust, and business growth."