Background to the report
Cyber attack is one of the most serious risks to the UK and the government’s resilience. The COVID-19 pandemic highlighted that the UK needed to strengthen its national resilience and prepare for future emergencies. The government defines cyber resilience as “the ability of an organisation to maintain the delivery of its key functions and services and ensure the protection of its data, despite adverse cyber security events”.
Jump to downloadsScope of the report
This report examines whether the government’s efforts to improve its cyber resilience are keeping pace with the cyber threat it faces. The report aims to: hold government to account for its performance; increase transparency about how cyber resilient government is; and help government improve its cyber resilience. To do this, we examined
- the threat to government cyber security
- progress with implementing the Strategy
- the government’s cyber resilience position in 2024
- the challenges for departments in building cyber resilience
Video summary
Conclusions
Cyber attacks continue to have serious consequences for government organisations, public services and people’s lives, undermining the value for money of government expenditure in affected services and systems.
The cyber threat to the government is severe and advancing quickly. In response, the Cabinet Office has published and started leading work to implement the first cyber strategy for government. Its work on centrally led interventions such as GovAssure and Secure by Design should improve departments’ cyber resilience.
However, progress is slow and cyber incidents with a significant impact on government and public services are likely to happen regularly, not least because of the growing cyber threat. The government’s cyber resilience levels are lower than it previously estimated, and departments have significant gaps in their system controls that are fundamental to their cyber resilience.
The resilience of the hundreds of ageing legacy IT systems that departments still use is likely to be worse, and departments have no fully funded remediation plans for half of these vulnerable systems. As a result, the government will not meet its aim for its “critical functions” to be resilient to cyber attack by 2025.
The Government Security Group assesses that achieving this for the wider public sector by 2030 remains ambitious, in part because this relies on departments meeting their responsibilities to keep their systems cyber resilient.
To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces. The government will continue to find it difficult to do so until it successfully addresses the long-standing shortage of cyber skills, strengthens accountability for cyber risk, and better manages the risks posed by legacy IT.
Downloads
- Report - Government cyber resilience (.pdf — 367 KB)
- Summary - Government cyber resilience (.pdf — 131 KB)
- ePub - Government cyber resilience (.epub — 1 MB)
Publication details
- ISBN: 978-1-78604-595-9 [Buy a hard copy of this report]
- HC: 546, 2024-25
Press release
View press release (29 Jan 2025)
