Cyber threats to the UK Public sector are at an all-time high. In 2024 the NCSC reported that attacks on public sector organisations increased by 25% compared to the previous year. Earlier this year the National Audit Office (NAO) warned that Government cyber resilience isn’t keeping up with the evolving threat. Unsurprisingly, digital and cyber resilience across public sector is now under unprecedented scrutiny and the pressure to act has never been higher. Knowing where to start can feel overwhelming. The challenge isn’t just technical, its strategic. And with finite resources, leaders are confronted with difficult choices.
Cyber and digital resilience is not a destination but a continuous process of improvement. The public sector organisations that succeed will be those that treat cyber and digital resilience as a core business risk, review it alongside other strategic priorities and hold themselves accountable for progress. I’ve seen first-hand what happens when cyber is treated solely as the CISOs responsibility. I believe the four questions presented below can help any organisation, no matter where they are on their journey.
Cyber risk is more than just a technology problem. It is acritical business risk. It can stop essential services from reaching citizens. When disruption happens, vital operations can be delayed, personal and sensitive data might be exposed, and public trust can be lost.
When leaders treat cyber risk as a business issue, they can make more informed and effective investment decision. They can focus on the services that are most important to the public. This approach embeds resilience into everyday operations and helps to minimize disruption in the event of an attack. The goal should be to protect what matters most: keeping citizens safe, ensuring services are available, and maintaining confidence in government.
Knowing who might target you and why is essential. It helps anticipate which attack types are most likely to disrupt your organisation.
Is the biggest threat a ransomware attack? A large data breach? A compromise from a third-party? Understanding this helps focus defences on controls and capabilities that will have the greatest impact and helps build a strong resilience plan.
You don't need to defend against every single threat in the same way. Focusing on risks that will cause the most disruption to core and citizen-facing services is key.
Being prepared is more than just meeting compliance requirements. It’s confidence that your people, processes and technology can detect, protect, and respond to incidents effectively.
Using frameworks like CAF, underpinned by other industry standards, allows you to gain confidence that your compliance obligations are being met. However, they don’t necessarily tell you how prepared you are to respond to a real incident – like a ransomware attack. That’s why pairing your compliance activities with proactive risk management and scenario-based testing is so powerful. It exposes gaps in your defences and helps prioritise strengthening the areas where you are most vulnerable.
This is where everything comes together – threat landscape, control posture and the potential service impact. Quantifying cyber risks through determining the percentage likelihood of a risk occurring and the impact of business disruption enables public sector leaders to measure possible financial and operational losses – and compare cyber risks with other business risks. Leaders are empowered to make clear, strong, and data-driven investment decisions to best build resilience.
Having the right people accountable is just as vital. This goes from board oversight down to system owners. Building and keeping cyber and digital resilience must be everyone's job. Every pound spent is tied to protecting public services and reducing risk. This is how we build a resilient digital future.
We’ve worked with hundreds of organisations to support them in a) understanding their current cyber risk exposure and compliance posture, and b) quantifying their cyber risks in financial and business terms. Part of that support utilises our own market leading technology, Cyber Risk Insights (CRI).
CRI leverages detailed threat scenarios to model potential attacks, giving you a clear understanding of who might target your organisation, their techniques and their objectives. CRI can harness existing data, such as GovAssure returns and other control assessments, to accurately assess your current posture. By combining this with an analysis of the potential disruption to your core services, CRI provides a comprehensive view of exposure.
The result? Being equipped to make confident data-driven decisions on where to invest ad understanding what the impact will be of that investment– ensuring every action strengthens your cyber and digital resilience.
