National Audit Office NAO

Government cyber resilience

2025 UK2025govCyberResilience
SCALE
  • - The government supported its 2011 UK Cyber Security Strategy with a £650 million cross-government National Cyber Security programme
  • - It supported the subsequent National Cyber Security Strategy 2016–2021 with funding of £1.9 billion
  • - 89 of the 430 incidents managed by the National Cyber Security Centre between September 2023 and August 2024 were assessed as “nationally signifi cant”
COMPLIANCE FOCUS
  • - National Security Strategies
  • - July 2024 King’s Speech
  • - UK Government Resilience Framework
PERFORMANCE ASPECT
  • - threat level
  • - progress with implementing the Strategy;
  • - the challenges for departments in building cyber resilience
  • - resilience outcomes for departments to meet
  • - support and incentives
  • - prioritisation
1. Domain knowledge - Technology

Legacy systems are often more vulnerable to cyber attack because their creators no longer update or support their use, few people have the skills to maintain them, and they have known vulnerabilities. The government estimated that it used nearly half of its £4.7 billion IT expenditure in 2019 to keep legacy systems running.

2. Data - Collection

Until April 2023, the government did not collect detailed, reliable data about the cyber resilience of departments.

3. Output - Timeliness

The resilience of the hundreds of ageing legacy IT systems that departments still use is likely to be worse, and departments have no fully funded remediation plans for half of these vulnerable systems. As a result, the government will not meet its aim for its “critical functions” to be resilient to cyber attack by 2025. GSG assesses that achieving this for the wider public sector by 2030 remains ambitious, in part because this relies on departments meeting their responsibilities to keep their systems cyber resilient.

4. Communication - Audience understanding

Departments still find it difficult to understand the roles and responsibilities of the cyber organisations at the centre of government.

5. Continuity - Position comprehension

Multiple fundamental system controls were at low levels of maturity across departments, including asset management, protective monitoring and response planning (…) Departments cannot manage risk effectively and make risk-based decisions about how they protect their most important assets, if they do not understand their digital estate and security risks.

Code (gexf) to continue analysis with GephiTerminology graph
svg
The items above were selected and named by the e-Government Subgroup of the EUROSAI IT Working Group on the basis of publicly available report of the author Supreme Audit Institutions (SAI). In the same way, the Subgroup prepared the analytical assumptions and headings. All readers are encouraged to consult the original texts by the author SAIs (linked).