View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 28, 2021updated 29 Apr 2022 9:33am

What the UK public sector learned about cybersecurity in 2021

The pandemic and ransomware outbreak have revealed strengths and weaknesses in the UK public sector's cybersecurity defences.

By Pete Swabey

Cybersecurity was already on the board agenda among UK public sector organisations before Covid-19.

Chris Naylor, outgoing chief executive at the London Borough of Barking and Dagenham, assesses risks on two dimensions: their likelihood and their potential impact during a panel on cybersecurity at New Statesman and Tech Monitor‘s recent Public Sector Technology Symposium. In the past five years, cybersecurity risk has climbed both rankings, Naylor explained. “It’s got a lot more of my attention as a result.”

But the pandemic and the accompanying bout of ransomware put the UK public sector’s readiness to the test. That readiness has proved to be a “mixed bag,” said Jonathan Lee, UK director of public sector relations at panel sponsor Sophos. Collaboration between government and the cybersecurity industry helped public sector organisations improve their preventative stance against threats, Lee said, but “I think we can do better”.

Cybersecurity in the public sector: information overload

Adrian Boylan, head of IT, Moorfields Eye Hospital NHS Foundation Trust shared that, while awareness of cybersecurity issues has improved significantly in recent years in the public sector, many smaller organisations do not have the resources to tackle all the threats they face. And while there is a wealth of advice and information available from government bodies and suppliers, it can be overwhelming, he added.


Similarly, Boylan said, compliance with cybersecurity guidelines and frameworks can be overwhelming for smaller organisations, especially when added to the practical work of securing and monitoring IT systems. “Perhaps we should move away from the more resource-intensive, annual exercise of asserting that we meet theoretical guidelines or points of principle back towards a practical assessment [of cybersecurity],” he said.

Responding to cybersecurity threats

If it wasn’t already obvious, the ongoing ransomware outbreak has made it inescapably clear that cybersecurity threats have changed significantly in the past decade. Defences need to evolve as well, said Lee.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business


The human dimensions of cybersecurity are vital, not just in preventing breaches but also in detecting and responding to them too, explained Shelton Newsham, divisional information security officer at UK Health Security Agency and a former police officer specialising in cybercrime. When it comes to the technical teams handling IT security, a range of perspectives and experience is vital. “Having someone who is technically aware but not technical is really, really important,” he explained. “They will spot things that the people with the real technical ability who are immersed in trying to contain an incident [may not].” These ‘technically aware’ staff can often help police attribute attacks and, in some cases, identity the attackers.

Non-IT staff, meanwhile, also play an equally vital role in incident response, Newsham explained.

Bad news to share? Build up your trust bank

How should public sector IT leaders communicate security risks to senior management? Naylor shared his approach to maintaining awareness of ongoing risks: a monthly assurance board meeting, in which the heads of strategic departments, including cybersecurity, raise risks that need to be addressed. “In essence, I’m leaving the burden of judgment with them to tell me what they think I need to know,” he said. Crucially, though, he asks that departmental heads don’t just describe the risk but identify a call to action. “I need to know the consequence of what I’m hearing,” he says. “It’s not good enough for people to go, ‘Well, this thing happened’. What I really want to want to know is, what do you want me to do about it?”

This meeting can provoke some difficult conversations. During a secondment to Birmingham City Council, Naylor was asked for £20m to address cybersecurity issues. “Sometimes I don’t want to hear it,” he said. But “we have to hear it and we have to create spaces in which to hear it.”

And when an IT leader has to raise a cybersecurity issue that requires an immediate and extensive response, it helps to have built up trust within the organisation. “Get trust in your trust bank so that when you need to pull the lever, they’re ready to hear you,” Naylor advises. “If you’re running a tight ship inside your IT department, [it] builds the confidence of people like me so that when you come to us with a request for additional funding or resources or action, we are in the headspace to respond to that.”

Homepage image by tzahiV / iStock

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.