Navigating cyber risks in the UK public sector

The UK economy lost an estimated £440 million last year.

This is from a single “combined cyber event” that targeted Marks and Spencer and Co-op.

There was a similar attack on luxury retailer Harrods around the same time, although the exact extent of damages is unclear.

Jaguar Land Rover was hit soon after. Reported losses were in the range of £485 million.

The spate of attacks and security breaches have made one thing clear. Regardless of whether a business is a public or private enterprise and no matter their size and influence, no one is immune to an attack.

What this means for public sector organisations

The impact on public sector organisations is not just scale, but consequence.

When a retailer goes offline, revenue is lost. When a public service is disrupted, access to healthcare, housing, or benefits can be delayed or denied. The impact is less visible in financial reports, but far more critical in people’s day-to-day lives.

4 Top cybersecurity risks for the UK public sector

1. Legacy tech and modernisation hurdles
2. Ransomware and malware
3. Supply chain attacks
4. DDoS attacks

1. Legacy tech and modernisation hurdles

By definition, legacy systems are those that are outdated or difficult to integrate with modern infrastructure. These systems, some of which are 30-50 years old, weren’t designed to meet today’s security standards or proofed against today’s sophisticated cyber threats. Yet, many remain key to daily business operations in the public sector.

Recent findings from the National Audit Office show that the government doesn’t fully understand the vulnerability of at least 228 legacy IT systems currently in use. At the same time, 58 critical systems were found to have “significant gaps” in cyber resilience.
According to a recent KPMG report, these legacy systems are “opening the door to an array of vulnerabilities for adversaries to exploit.”

Legacy systems are often kept in place because replacing them is complex and expensive. But this comes with trade-offs. Systems that are “impossible to update” or built on unsupported software become increasingly exposed over time, particularly as new vulnerabilities are discovered and left unpatched.

This throws up a unique dual challenge for Chief Information Security Officers in the public sector: the need to keep up with emerging technologies, such as artificial intelligence (AI), blockchain, and quantum computing, whilst navigating the inherent risks posed by legacy systems.

2. Ransomware and malware

Ransomware and malware continue to be major attack methods of cybercriminals. UK government data shows that around 19,000 businesses experienced a ransomware attack in 2025. What’s worrying is that 83 percent of affected organisations chose to pay.

This reflects operational pressure. When services are disrupted, restoring access becomes the priority.

Stealware is expected to be the primary malware payload in cybercrime operations targeting the public sector due to its ability to capture and sell government credentials that can be exploited for future breaches.

3. Supply chain vulnerabilities

Public sector organisations rely on a wide network of third-party providers, from IT vendors to outsourced services. Each connection introduces a potential entry point for threats.

Attackers are increasingly targeting these suppliers as a way to bypass direct defences and gain indirect access to government systems.

Security is no longer defined by organisational boundaries, but by the resilience of the entire ecosystem. A vulnerability in one supplier can have downstream effects across multiple services, particularly where systems are tightly integrated.

4. DDoS attacks and service disruption

Distributed Denial of Service (DDoS) attacks continue to target public-facing systems, disrupting services and making them unavailable to users.

While they may not always result in data breaches, they can significantly impact service delivery. Access to online services, booking systems, or digital portals can be interrupted without warning.

In a public sector context, that disruption has immediate consequences.

Read our best practices for cybersecurity in 2026.

Government response

The UK Government’s Cyber Action Plan launched in March 2026 is an update to the government’s 2022 Cyber Security Strategy and is currently managed by the Department of Science, Innovation and Technology (DSIT). It is backed by over £210 million in funding and is an urgent response to building the UK public sector’s cyber defences.

The Government Cyber Profession, which is co-branded with the Department for Science, Innovation and Technology and National Cyber Security Centre, will establish a ‘cyber resourcing hub’ to “streamline” recruitment and create a “clear career framework” aligned with UK Cyber Security Council professional standards.

There are further plans to set up a proposed cyber academy, and apprenticeship scheme, to offer “structured career pathways to strengthen long-term capability across the public sector”.

The government’s response reflects an understanding of the critical impact of cyberattacks on public systems. Investment in skills, clearer career pathways, and a more structured approach to recruitment will collectively address the shortage of cyber security skills across the public sector.

But building capability and long-term talent pipelines takes time.

And, the threat landscape doesn’t operate on the same timeline, with more and more sophisticated attacks emerging every day.

The question is how prepared are public sector organisations for an attack?

Navigating cyber risks in the public sector

Navigating cyber risks in the public sector requires a deliberate approach, that recognised the challenges of legacy systems, complex supply chains, and the need to maintain continuous service delivery.

1. Prioritise critical public services, not just systems

A solid cybersecurity pln in the public sector starts with identifying which services cannot afford disruption.

The National Cyber Security Centre (NCSC) advises organisations to align cyber security activity with their most critical functions.

In practice, this means focusing on services such as healthcare access, benefits processing, or local authority systems, not just the underlying technology.

2. Build a clear view of legacy and interconnected systems

The UK Government’s cyber strategy highlights the need to better understand assets, dependencies, and vulnerabilities across departments.

This includes mapping legacy systems, identifying where they connect to newer platforms, and understanding where risks sit across those environments. Without that visibility, managing cyber risk becomes reactive rather than controlled.

3. Plan for service continuity

In the public sector, recovery is not just about restoring systems. It is about maintaining access to essential services.

NCSC guidance stresses the importance of planning for incidents in a way that ensures continuity and recovery.

This means testing how services will operate during disruption, defining fallback processes, and ensuring teams are prepared to respond under pressure. For public services, resilience is measured by continuity, not just containment.

4. Extend security across suppliers

Public sector organisations don’t operate in isolation.

The Government Cyber Security Strategy emphasises a “defend as one” approach, recognising that risk extends across suppliers and delivery partners.

This requires consistent standards across supply chains, clearer accountability, and stronger assurance of third-party security practices. A vulnerability in one supplier can affect multiple services. Managing that risk requires coordination, not just oversight.

Cyber Essentials Plus

In a zero-trust world, the ability to demonstrate resilience is becoming just as important as having it. Independent fact checking has become the only way to achieve an acceptable level of assurance, and company certifications have become the gateway to support business engagements.

Cyber Essentials Plus is a UK government-backed cyber security certification scheme and provides independent assurance that an organisation operates to a recognised standard of quality, safety and accountability. It enables organisations to build essential defences across key areas of the business and is becoming a minimum requirement in many supply chain conversations as a clear indicator of a company’s ability for proactive risk management.

This year, we at FDM renewed our Cyber Essentials Plus certification, demonstrating an improvement, (not just compliance) with cybersecurity best practices. We strengthened how we measure continuous improvement by clearer metrics, monitoring performance trends, holding structured review points and using feedback to evidence-sustained change rather than isolated actions. It gives confidence to the public, assurance to leaders and signals to the sector that quality is embedded in our everyday practice.

At FDM, we believe the most powerful line of defence is people. That’s why we work with organisations to build in-house cybersecurity capabilities, embedding our consultants into their teams to support long-term resilience.

Find out how FDM built a global bank’s 24×7 cybersecurity support team.