The annual DSIT Cyber Breaches Survey makes for uncomfortable reading. In 2026, it found that 74% of UK businesses had experienced a cyber incident in the preceding twelve months. For the public sector, the comparable figure is higher — and the nature of the incidents is more frequently severe.
There is no shortage of diagnosis. The NCSC has characterised the threat clearly and repeatedly. The National Audit Office has documented the inadequacy of cyber security investment in central government and its arm’s-length bodies. The Public Accounts Committee has published its own reports. The gap between documented risk and available resource is widely acknowledged.
What is less clear is whether the structural conditions that create this gap are changing at a pace commensurate with the threat. The evidence is mixed at best.
The Structural Problem
The UK public sector’s cyber security challenges are not primarily about awareness or intent. Most senior responsible owners and IT leadership in central government understand the threat landscape in broad terms. The problem is structural, and it operates across several dimensions simultaneously.
Fragmented IT estates. The UK public sector does not have a unified IT infrastructure. It has hundreds of separate IT estates — departments, agencies, arm’s-length bodies, NHS trusts, local councils, police forces — each with their own procurement, their own refresh cycles, their own legacy systems, and their own relationships with managed service providers. The average NHS trust still runs systems that were already old when WannaCry struck in 2017. Some councils are managing IT on budgets that haven’t materially increased since austerity.
This fragmentation creates an attack surface that cannot be addressed through centralised action alone. NCSC’s Active Cyber Defence programme — which provides DNS filtering, mail check, and web check services across government — is genuinely valuable and materially reduces commodity threat exposure. But it operates at the network perimeter. It does not address unpatched legacy systems, poor privileged access management, or the absence of endpoint detection capabilities in most local government environments.
Procurement cycles that optimise for cost. Government IT procurement is, by design, focused on value for money as defined by capital cost. Security capabilities that are harder to quantify in a business case — detection and response capability, threat intelligence, SOC services — consistently lose out to cheaper proposals during procurement evaluation.
The consequences compound over time. A department that chose the cheaper IT managed service five years ago is now paying the security cost of that decision in the form of a supplier with inadequate monitoring, a contract that doesn’t require incident notification, and a renewal negotiation in which renegotiating security terms is commercially unattractive. The Government Commercial Function has been working on improving security requirements in procurement frameworks, but change is slow.
Talent. The public sector cannot match private sector compensation for experienced security professionals. A senior SOC analyst or threat intelligence lead at a government department earns materially less than their counterpart at a large bank or consultancy. The gap has widened as private sector demand for security talent has increased.
The consequence is a persistent experience gap in government security teams. Entry-level analysts cycle through on two-year stints on their way to better-paid private sector roles. Specialist capabilities — OT security, intelligence analysis, incident response — are frequently contracted in rather than retained in-house. When the contracts end or the consultancies have to prioritise, the institutional knowledge leaves with them.
GovAssure: Useful but Insufficient
The Cabinet Office’s GovAssure programme, launched in 2023 and expanded since, requires central government departments to self-assess against the NCSC’s Cyber Assessment Framework and have those assessments reviewed. It is a meaningful improvement on the previous state of affairs, which was close to no systematic assurance at all.
The limitations are real, however. GovAssure covers central government departments and their immediate arm’s-length bodies. It does not cover local government (43 million people interact with council services), most of the NHS at trust level, or the extended supply chain of government IT providers. The Volt Typhoon intelligence described above — pre-positioning in Tier 2 supplier networks — sits largely outside GovAssure’s scope.
The programme also relies on self-assessment in the first instance. Organisations that systematically understate their cyber risk in other contexts can be expected to understate it in a compliance framework.
The Cyber Security and Resilience Bill
The Cyber Security and Resilience Bill, introduced following the 2024 election and currently progressing through Parliament, is the most significant legislative development in this space for several years. It extends mandatory incident reporting, expands the NIS Regulations to cover more digital infrastructure providers, and gives regulators enhanced enforcement powers.
For government and public sector specifically, the most consequential provisions relate to the supply chain: the Bill extends obligations to suppliers of regulated sector entities, which will, in practice, draw many government IT suppliers into a formal reporting and assurance regime for the first time.
The Bill is welcome. Its limitations are also real. Legislative timelines in this area have historically outpaced threat timelines, and the threat landscape that will exist when the Bill is fully in force will not be the same as the one that motivated its drafting.
What Is Actually Changing
Some things are genuinely improving. The NCSC’s capabilities have grown substantially since 2016. The GovCERT function is more capable. Information sharing across the public sector has improved, particularly in the NHS following the 2017 WannaCry experience. The Government Security Group has been more explicit about its risk assessments than predecessors were.
At the departmental level, the picture is uneven but directionally positive in the most critical departments. MoD, GCHQ, and the intelligence agencies have maintained investment and capability. HMRC and DWP, which hold enormous volumes of citizen personal data, have invested heavily. DSIT itself and the Cabinet Office have credible capability.
The deficit is concentrated in local government, smaller NHS trusts, the extended supply chain, and the many arm’s-length bodies and agencies that combine medium-sized IT estates with low security investment and high threat exposure.
The Uncomfortable Reality
The gap between the public sector cyber security posture and the threat it faces is not primarily a political failure. It is a structural consequence of how public sector IT was built — over decades, under cost pressure, with security treated as an overhead rather than a capability — meeting a threat environment that has become dramatically more capable in the time it would take to fix the underlying infrastructure.
The policy response — better frameworks, extended regulation, centralised services — is the right response. It is also slow. The threat is moving faster than the reform.
The realistic near-term position is not that the public sector will match private sector security investment levels or eliminate its legacy estate before the next significant incident. It is that the highest-risk concentrations of data and access — the environments that nation-state actors and sophisticated criminal groups are most likely to target for the highest-consequence outcomes — need to be identified and treated differently from the baseline.
That requires honest risk assessment about where the real exposure is, and the political willingness to act on it when the answer is inconvenient.