The UK government’s National Audit Office (NAO) has raised significant concerns about the cyber resilience of critical IT systems across government departments. A 2024 assessment by the government’s cyber assurance scheme, GovAssure, revealed that 58 critical systems were found to have “significant” gaps in cyber resilience, posing extremely high risks. The report noted that many systems had weak controls in areas like asset management, protective monitoring, and response planning, which could make them vulnerable to cyberattacks.
Furthermore, the NAO reported that 228 legacy IT systems were still in operation, with 28% of them receiving “red-rated” evaluations due to high operational and security risks. Notably, the Cabinet Office Government Security Group (GSG), which oversees central government security, had excluded legacy systems from the GovAssure assessment.
This has resulted in a significant visibility gap, as the GSG lacks information on the security status of these outdated systems and how effectively they are being managed.
One of the key issues highlighted by the report is the shortage of skilled cybersecurity professionals. In 2023-24, a third of cybersecurity roles within central government were either vacant or filled with temporary staff. This staffing shortfall has slowed efforts to improve the security posture of government systems, particularly as cyber threats from hostile nations and cybercrime groups continue to grow. The NAO argued that the government must urgently address these gaps in skills and resources to avoid serious cybersecurity incidents.
The NAO’s report recommends several actions to improve cybersecurity resilience, including developing a cross-government plan to address cybersecurity risks and focusing on mitigating risks posed by legacy IT systems. Additionally, it calls for strengthened cyber-risk governance and more accountability across departments. Experts suggest that the government must adopt a more strategic approach to cybersecurity by leveraging emerging technologies and threat intelligence to better defend against cyberattacks.
