After the National Audit Office (NAO) signals alarm over UK public sector cyber security and cyber resilience, is it time to make more use of Britain’s 11,000-strong army of MSP experts to hold the fort
A troubling report from the NAO in January revealed that the UK government’s ability to withstand the growing threat of cyber attacks is inadequate.
The 2025 Government cyber resilience report warns of a severe and advancing threat to the UK’s public sector cyber security.
It claims that building the necessary levels of resilience will remain elusive unless it overcomes the enduring shortage of IT skills in the public sector.
Despite this, every public sector organisation must strengthen accountability and gain more complete control of legacy IT risks.
Among the key challenges highlighted within the report are:
This is a worrying set of figures, despite £1.3 billion additional cyber and ‘legacy’ IT funding provided to departments in the 2021 Spending Review.
Adding to the problems is ‘a lack of coordination within government.’ According to the NAO effective cyber defence is being jeopardised by a lack of clear definition around the roles of departments and central organisations, such as the National Cyber Security Centre (NCSC).
Moreover, leaders of these departments have not sufficiently prioritised the importance of dealing with cyber risk to achieve their strategic goals.
The report urges the government to quickly take the decisions needed to make the UK cyber resilient by 2030 to avoid serious incidents, make systems more robust, and protect the value for money of its operations.
One answer, at least in the immediate term, is to outsource more public sector cyber security to suitable members of Britain’s 11,000 or so Managed Services Providers (MSPs).
Many of these are already trusted Government suppliers under the G-Cloud framework and other schemes.
In many public sector organisations, MSPs already act as the UK public sector’s unofficial Home Guard for cyber defence. They bring not just vast insight into the fast-moving cyber threat environment but are well placed to help bridge the gap caused by the rapid turnover and enduring shortage of skilled public sector IT staff.
While it is very common for UK government departments to individually select public sector IT services for cyber security, cloud and IT management, a more joined-up approach is long overdue.
To this end, the Government proposes to establish a cyber coordination centre to rapidly identify, investigate and coordinate incident response alongside threat and vulnerability reporting.
It is a big undertaking. Ageing systems, a lack of experts, and the need to ensure everyone works together mean this will take time.
In the meantime, public sector IT companies must continue to pick up the slack. Fortifying public cyber security against threats like hacking, ransomware and data breaches in this way makes a good deal of financial sense.
Not only is skilled manpower in short supply but training and retaining in-house teams is expensive. By contrast, public sector IT providers already have all the specialist expertise you need on tap around the clock.
There are other benefits too.
For example, involving more MSPs in running public sector IT could help resolve some of the management and coordination issues.
Devolving responsibility for speeding up incident response, patching, vulnerability management and risk assessments to a co-managed IT service enables departments to pinpoint and seal security gaps quickly
They can also guide continuity and disaster recovery planning, train in-house teams on the latest exploits and phishing techniques and give them access to advanced tools and threat intelligence.
In this way, public sector IT providers ensure that departments achieve and maintain compliance targets. They also provide scalable protection that can be adjusted quickly to government’s constantly changing needs without investing in costly physical systems in-house.
Departmental leaders, meanwhile, are free to focus more of their time on strategy and effective service delivery.
In summary, the NAO report highlights concerns that a “widening gap between the increasingly complex threats and our collective defensive capabilities in the UK.” The fully coordinated approach it advocates is planned, but still some way off.
In the meantime, it’s up to trusted public sector IT providers like us to ensure overstretched internal resources have access to comprehensive, easy-to-use cyber protection measures in the face of an increasingly sophisticated threat landscape.