Government Cyber Resilience report: key findings & recommendations

Today's Government Cyber Resilience report from the National Audit Office (NAO) has painted a stark picture of the UK government’s cyber resilience, identifying deep-rooted vulnerabilities in critical IT systems, widespread skills shortages, and inadequate funding structures.

Key findings from the NAO’s analysis reveal that:

• Critical vulnerabilities exist across multiple departments:
  A 2024 assessment of 58 vital departmental IT systems found many lacked maturity in fundamental cyber controls, such as asset management, protective monitoring, and incident response planning.
• Legacy IT systems remain a major risk:
  Over 228 aging systems are still in use across government, yet there is little clarity on how vulnerable they are. Many of these legacy systems are unsupported, difficult to maintain, and prone to exploitation.
• Severe staffing shortages exacerbate the problem:
  In 2023-24, one-third of central government cyber security positions were unfilled or occupied by temporary staff, with some departments reporting more than 50% of their cyber roles vacant.
• Financial pressures stall progress:
  Departments reported they lacked fully funded plans to address vulnerabilities in over half of their legacy systems. Additionally, constraints on budgets have forced some to scale back or delay key cyber resilience initiatives.
• Lack of coordination undermines a unified defence:
  Confusion over responsibilities and a lack of shared accountability across government entities have hampered efforts to improve resilience and respond to incidents effectively.
  
  

Longstanding problems, limited progress

Efforts to bolster government cyber security are not new. For over a decade, the UK has placed cyber resilience at the forefront of its national security strategy.

The January 2022 Government Cyber Security Strategy set ambitious goals, including hardening critical government functions against cyber attacks by 2025 and achieving full public sector resilience to known threats by 2030. However, as the NAO points out, progress has been slow and uneven.

One of the strategy’s cornerstone initiatives - GovAssure - was designed to independently verify the cyber resilience of critical systems. Yet the NAO found that even with GovAssure’s data, departments have struggled to close the most pressing gaps. Key controls remain underdeveloped, and improvement plans - though identified - often lack the funding or staffing needed for implementation.

Compounding these challenges is the government’s continued reliance on aging technology. Legacy systems often can’t support modern security measures, leaving them as open targets for malicious actors. As of March 2024, 63 of the 228 legacy systems identified were classified as “red-rated,” indicating a high likelihood of significant operational and security risks.

Skills shortages: a persistent barrier

The NAO’s findings highlight the persistent struggle to recruit and retain skilled cyber security professionals. Departments have cited uncompetitive salaries and lengthy civil service hiring processes as key barriers, leaving critical roles unfilled for extended periods. This shortage extends beyond front-line staff to strategic leadership, with few senior decision-making boards including members with cyber expertise.

Recommendations

Recognising the urgent need to close these gaps, the NAO’s report lays out a series of actionable recommendations:

• Immediate cross-government planning:
  Within six months, the government must develop and implement a comprehensive cross-departmental plan for achieving its cyber security strategy goals. This should include a clear monitoring framework to measure progress and evaluate the effectiveness of initiatives.
• Filling the skills gap:
  Departments should conduct detailed workforce analyses and develop targeted recruitment and retention strategies to ensure critical cyber roles are filled.
• Better governance and accountability:
  Senior leadership boards must integrate cyber expertise and enhance reporting structures, ensuring that cyber risks are managed as a core element of strategic planning.
• Addressing legacy vulnerabilities:
  A more rigorous approach to identifying, assessing, and remediating legacy systems is essential. The NAO recommends prioritising security enhancements, isolating vulnerable systems, and incorporating legacy risks into broader resilience metrics.

The NAO’s report makes it clear that the government faces a critical juncture. Without swift, decisive action, the consequences of inaction could be severe, leaving public services vulnerable to disruption and citizens exposed to the fallout of future attacks.

As Gareth Davies, head of the NAO notes: “The government’s current approach is too slow. To protect vital services and maintain value for money, it must significantly accelerate its efforts.”

With just a year remaining before the 2025 resilience target, the government’s ability to overcome these challenges will be put to the test. If it fails to act on the NAO’s recommendations, the gap between a rapidly evolving threat landscape and the UK’s defensive capabilities will continue to widen - at significant cost to public trust, safety, and the integrity of essential services.