clrcrmck
UK’s cultural institutions failing on cyber security, warns PAC
The UK’s national museums and galleries have failed to heed the lessons of high-profile cyber attacks and remain highly vulnerable. The Public Accounts Committee is calling on DCMS to do more to help.
Britain’s national museums and galleries are highly vulnerable to cyber threats and by-and-large, have failed to heed the prescient warnings from the 2023 British Library ransomware attack, putting the country’s wider cultural and historical assets at risk, says the Public Accounts Committee (PAC).
The British Library won praise for its transparency in the wake of the Rhysida ransomware attack, however in a new report on the state of the finances of government-sponsored institutions – published on 24 June – the PAC said that the government was still relying on a reactive, rather than proactive approach, to both the cyber and physical security of valuable collections.
It said that while Westminster had done well to disseminate lessons from the British Library attack, and incidents at the British Museum, it was not able to provide any specific examples of concrete actions taken by the sector to better protect itself.
The PAC said the Department for Culture, Media and Sport (DCMS) was not taking proper advantage of its central role to facilitate information-sharing and help museums and galleries collectively address their issues.
It is now asking the department to set out actions it has and will take to address security threats – such as better implementation of digital record keeping – to safeguard the UK’s museums and galleries, which draw millions of visitors and generated £563m in income in 2024-25.
PAC chair Geoffrey Clifton-Brown said: “Our museums and galleries are a treasured part of the fabric of our nation. The role they play in educating our people, preserving our shared history and showcasing our country to the world is quite simply priceless.
“However, they are being let down by a lack of leadership from the Department of Culture, Media and Sport, which appears to have taken an almost hands-off approach to the challenges they face.
“Cyber attacks, the theft of items from collections, and a fall in the number of visitors are just some of the issues museums and galleries are fighting to overcome.
"They’ve made great strides to become more financially resilient, however the lack of centralised support is leaving them vulnerable,” he said.
Cyber action plan
According to the report, DCMS has assured the PAC it is now working more closely with museums and galleries to provide central advice on cyber resilience and attack mitigation, and highlighted the steps set out in the Department for Science, Innovation and Technology’s (DSIT’s) Cyber Action Plan – which sets out a path to improved resilience across public bodies by the end of the decade.
DCMS said it was working with museums and galleries on cyber skills shortages, and bringing together both CIOs and CISOs from its arms-length bodies in new forums to learn from one another and set a collective security agenda. The report said “a small amount of money” has been set aside from DCMS’ budget this year to support this.
Check Point head of public sector, Graeme Stewart, said the PAC’s report was a stark reminder that threat actors don’t discriminate and that cultural institutions present high-value targets to them.
“The 2023 attack on the British Library was a watershed moment for the sector. It demonstrated that a ransomware incident can cripple operations, compromise data, and cause months of disruption, all while threatening the trust these institutions depend on. That the government has yet to translate the lessons of that incident into concrete, sector-wide protective action is deeply concerning,” he said.
“Museums and galleries face a particular challenge: they combine the digital vulnerabilities of any modern organisation, including network-connected systems, online ticketing, and third-party suppliers, with unique physical security considerations and, in many cases, constrained budgets and limited in-house cyber expertise.
Stewart added: “What's needed is exactly what the PAC is calling for…. The sector cannot afford to wait for the next incident to act. These institutions are the cultural lifeblood of this country, and the long-term damage to the nation's heritage, reputation and public trust that could result from continued inaction would be far harder to recover from than any single attack.”
Read more about public sector security
- Proposals to ban UK government organisations from paying ransomware gangs appear to have lost momentum. The conversation should move towards making critical systems more resilient to attack.
- Westminster renews calls for business leaders to sign up to its yet-to-be-launched Cyber Resilience Pledge, and highlights growth, and challenges, for the UK’s cyber economy.
- An amendment to the UK’s Cyber Security and Resilience Bill calls for the government to publish a ‘digital sovereignty strategy’ to promote domestic technology.
Read more on Data breach incident management and recovery
-
![]()
Cyber incident that closed British Museum was inside job
By: Alex Scroxton
-
![]()
Cyber security skills ad branded ‘crass’ by minister
By: Alex Scroxton
-
![]()
Digital art, datacentre futures and diversity – The Computer Weekly Downtime Upload Podcast
By: Clare McDonald
-
![]()
The National Museum of Computing launches crowd-funding effort for Turing Bombe gallery
By: Cliff Saran
