The National Audit Office (NAO) has found the UK government’s cyber resilience to be significantly behind where it needs to be, in the face of mounting and more dangerous threats.

In its Government cyber resilience report, the public spending watchdog warned that the cyber threat to the UK government is “severe and advancing quickly”. It found that 58 critical government IT systems, assessed in 2024, had significant gaps in cyber resilience, and the government does not know how vulnerable at least 228 “legacy” IT systems are to cyber attack.

The report does not cover the cyber resilience of local government, the NHS, or the nation as a whole. Fieldwork for the report was conducted between May and October 2024, with NAO staff interviewing officials from the Cabinet Office about efforts to support government departments in the implementation of the Government Cyber Security Strategy: 2022-2030.

The strategy included a target for key government organisations to be “significantly hardened to cyber attack by 2025”, but the government has not improved its cyber resilience fast enough to meet this aim, said the NAO.

The NAO also interviewed officials from the National Cyber Security Centre (NCSC) and the Central Digital and Data Office (CDDO), along with cyber security civil servants from government departments and the British Library.

The biggest risk to making the UK government resilient to cyber attack is a yawning skills gap, according to the report. It found one in three cyber security roles in government were vacant or filled by temporary – and more expensive – staff in 2023-24, while more than half of cyber roles in several departments were vacant, and 70% of specialist security architects were staff on temporary contracts.

The NAO said departments reported that salaries and civil service recruitment processes are barriers to hiring and keeping people with cyber skills.

Other concerns include a lack of coordination within government, which is jeopardising effective cyber defence. The NAO found that the respective roles of departments and central organisations, such as the NCSC, are “insufficiently understood”, and nor have departmental leaders “consistently recognised the relevance of cyber risk to their strategic goals”.

The government must act now, urged the report’s authors.

Gareth Davies, head of the NAO, said: “The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow.

“To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.

“The government will continue to find it difficult to catch up until it successfully addresses the long-standing shortage of cyber skills, strengthens accountability for cyber risk, and better manages the risks posed by legacy IT.”