Public sector cyber security: how to effectively mitigate risks

Over the past two years, the rapid pace of technology advancements, as well as the increase of remote working, has exposed organisations to an increasing number of cyberattacks. Although large-scale attacks have targeted the financial and healthcare industries, the public sector is quickly becoming one of the most popular targets.

Between September 2020 and August 2021, 40% of the 777 cyber incidents managed by the National Cyber Security Centre (NCSC) affected the public sector. In 2022 alone, UK councils were hit by ten thousand cyberattacks every day as of August.  

In this worrying scenario, it is imperative that public sector organisations do all they can to protect sensitive data and access to services. This insight explores three ways to mitigate cyber risk in the public sector in relation to current challenges.

40% of UK cyberattacks affected the public sector between 2020 and 2021   10,000 cyberattacks a day in UK councils in 2022

What are the challenges to cyber security in the public sector? 

The UK Government recently released their 2022-2030 cyber security strategy to tackle challenges in the public sector, allocating £37.8 million of additional funding to build greater cyber resilience.  

While this will ensure the right investments are made in advanced cyber security measures, it is undeniable that the pace at which technology is advancing is accelerating, and many public sector employees are not prepared.  

A lack of cyber awareness among staff, coupled with a general increase in cybercrime, puts public sector organisations at greater risk of ransomware and phishing attacks. Reliance on legacy systems is also an issue, and remote working brought about new challenges.  

As many employees now work from home on their own devices, cyber threats have increased exponentially. Additionally, employees work from various devices within their organisation’s network, accessing sensitive data externally and often without proper cyber security precautions.  

The next section details a few ways to overcome these challenges.  

Ways to improve cyber security in the public sector 

Implement an effective cyber security strategy 

Cyber risk management is the first step to effective mitigation. Auditing your existing infrastructure, and creating a strong cyber security strategy is essential to stopping cyber attacks and responding quickly if they occur. Ideally, a good cyber security strategy should align single departments as well as wider public sector bodies. 

Assess and upgrade legacy systems to mitigate risk 

Legacy systems and poor data quality are recurrent issues in public sector and government organisations. In many cases, IT assets are not catalogued or risk assessed, increasing the chances of vulnerabilities. 

Effective monitoring, backup and recovery systems must be put in place to protect sensitive information and ensure access to services. This is vital, especially for public sector services linked to the NHS, where a breach could mean that not only sensitive information is lost, but also access to potentially life-saving resources is compromised. 

Train staff consistently to strengthen organisational cyber security 

As pointed out in the previous section, lack of cyber awareness is the leading cause of preventable cyberattacks. In 2021, a survey by TalentLMS asked over a thousand employees a set of basic cyber security questions. Even though 69% of respondents received cyber security training from their employer, 61% of them failed the test. 

61% of employees cannot answer basic cyber security questions

Human error had severe consequences for local councils like Hackney and Gloucester City Council, where sensitive data was recently leaked online after an employee opened an email containing malware.

Public sector organisations must implement rigorous cyber security training to ensure employees are up to date on the latest threats and know how to stay safe. Crucially, employee training should cater to an increasingly remote workforce, focusing on bring-your-own-device (BYOD) policies and strategies to keep organisational networks protected.

Tony Hillier Swift.png

"With the pressure from UK Government to reduce the cyber risk in the public sector, the challenge for our clients has been how to best utilise the NCSC resources and commercial tools to support this requirement. As part of our cyber advisory services, ROCK has been able to provide a risk and cost-benefit analysis, allowing our customers to make the most with the resources available."

Tony Hillier-Swift, Senior Technology Consultant at ROCK

Conclusion: prioritising cyber security in the public sector

There has been a sharp increase in cyberattacks against the public sector in the past two years, as more and more reliance is placed on the internet and digital technology. The UK government cyber security strategy is a powerful tool to tackle current challenges with the aim to make the public sector cyber resilient by 2030.  

However, public sector leaders at a local level must prioritise good cyber security practices. Data is a business asset that is critical to the continued delivery of vital services, especially in the public sector where legacy systems can leave organisations even more exposed to risk.  

The most effective ways to mitigate risks in the public sector include implementing an effective organisational cyber security strategy, assessing and upgrading legacy systems, and training staff consistently.  

Cyber attacks are an increasing threat to public bodies’ management. Hacking, ransomware, cyber fraud and accidental data losses can damage organisations and individuals while disrupting access to vital services. An understanding of and readiness to tackle cyber issues is essential to protect the public and ensure business continuity.

Assess your current level of protection.


  1. Gallagher (2022) UK councils hit by 10,000 cyberattacks every day so far in 2022. Gallagher 31 August 2022. [Accessed: 21 November 2022] 
  2. HM Government (2021) Government cyber security strategy: Building a cyber resilient public sector. [Accessed: 21 November 2022] 
  3. Jeraj, S. (2022) How ransomware shut down an English council. The New Statesman 2 May 2022. [Accessed: 18 November 2022] 
  4. McAlmont, S. (2022) Cyber security training must not be a tick box exercise. Training Journal 25 October 2022. [Accessed: 21 November 2022] 
  5. National Audit Office (2021) Cyber and information security good practice guide. [Accessed: 21 November 2022] 
  6. National Cyber Security Centre (2022) Organisational use of enterprise connected devices. [Accessed: 21 November 2022].


Automation in construction: building a better business

© 2024 ROCK. All rights reserved.

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now