The cybersecurity landscape has changed dramatically in the last few years. Organisations now depend heavily on cloud-based systems accessed over the internet, and hybrid working has become the norm, with staff accessing data from multiple locations and devices.
Meanwhile, attackers continue to “routinely and relentlessly” target government organisations. Cyberattacks have severe consequences for government, public services and citizens alike. As the October 2023 attack on the British Library showed, disruption can be extensive and recovery prolonged and costly, with services still not fully restored two years after the initial incident.
Yet despite more than 10 years of government focus, the NAO’s January 2025 report on government cyber resilience revealed that the position is weaker than previously believed.
The NAO has just published a new version of its cybersecurity and resilience guide. It is primarily aimed at audit and risk assurance committees and others in a governance role who must ensure that controls, governance and resilience measures are in place and effective. This is especially important as threats are evolving faster than government can respond, and resources are constrained.
Legacy technology remains a major issue, with historic under-investment made worse by remediation budgets often being diverted to competing priorities. Attracting and retaining staff skilled in cybersecurity is also a challenge for many organisations, as there is a high market demand for their expertise. Departments struggle to understand roles and responsibilities, and there are inadequate measures to assess effectiveness.
Overall, government will miss the target in its Cyber Security Strategy 2022-2030 for critical functions to be resilient to attack by 2025. Cyber risk is critically high and public organisations are under-prepared, with critical gaps persisting.
Our guide recognises that effective oversight of cybersecurity doesn’t rely on having extensive technical expertise. It is all about knowing enough to ask the right questions, and fully understand the implications of choices made when money is tight.
Our guide aims to supplement rather than replace existing guidance, and suggests in an easy-to-read and accessible manner questions that those charged with governance could ask to address both strategic and operational issues.
Questions you should ask
We cover the following areas, consistent with the Cyber Governance Code of Practice:
Strategy: Is there a clear cyber strategy as part of the overall business strategy? Are responsibilities and obligations understood across the organisation? Is funding prioritised and protected to match the strategy’s intent?
Assurance and oversight: Are regular threat assessments undertaken? Is assurance gained over suppliers and the supply chain? Does reporting provide meaningful insight and not just technical detail?
Risk management: Are critical systems identified and risks integrated into overall management? Are cyber risk appetite and tolerance levels integrated into decision-making, investment and mitigation plans? Is there a structured method or framework?
People: Is there clear executive accountability for cybersecurity? Is there a positive cyber culture? Is there a structured programme to ensure everyone has at least a basic level of cyber awareness?
Incident planning, response and recovery: Is there a well-prepared plan and is it regularly exercised? Are lessons learned and improvements made, including from ‘near misses’? Are data and asset backup strategies adequate?
The guide also includes questions in three further areas of detail which represent new initiatives since the publication of our previous guide:
- Legacy Systems: Are legacy systems identified and catalogued? Have they been evaluated and are remediation plans funded and monitored?
- GovAssure: Are critical systems prioritised and are improvement plans funded and monitored?
- Secure by Design: Are the 10 ‘Secure by Design’ principles adopted for all new systems?
We hope that this guide is a useful resource in helping government meet its target for all public sector organisations to be resilient to known vulnerabilities by 2030.
Yvonne Gallagher is the director of the National Audit Office's digital insights team