TL;DR: The UK’s £210 million cyber action plan responds to self-assessed “critically high” risk across public services after attacks affecting Royal Mail, the British Library, councils, MoD payroll and FCDO, according to Swarmnetics. The funding may improve standards, but legacy debt, voluntary controls and uneven API and mobile security leave execution risk unresolved.
NHIMG editorial — based on content published by Swarmnetics: UK’s £210 million Cyber Action Plan Addresses Endemic Failings in Securing Public Services, But Is It Enough?
By the numbers:
- The UK’s Government Cyber Action Plan will deploy some £210 million over at least three years.
- Years of poor funding have left legacy systems and technical debt affecting some 28% of all government departments.
- The plan’s first phase runs through April 2027 before broader expansion from 2027 to 2029.
Questions worth separating out
Q: What breaks when public services rely on legacy systems with weak cyber governance?
A: Legacy estates break down when patching, identity control and recovery processes are inconsistent across dependent services.
Q: Why do technical debt and poor funding increase cyber risk in public-sector environments?
A: Technical debt increases risk because it expands the number of systems that must be secured, monitored and recovered, while poor funding limits the pace of standardisation.
Q: How should organisations prioritise remediation when data exposure findings are broad?
A: Focus first on the datasets with the widest identity reach, the weakest classification confidence, and the most downstream replication.
Practitioner guidance
- Inventory legacy-dependent services first Identify which citizen-facing and internal services still rely on ageing platforms, then rank them by business criticality, recovery dependency and access complexity.
- Tighten privileged and third-party access around critical workflows Review supplier accounts, service accounts and administrative exceptions that touch public-service workflows, then remove standing access wherever possible and enforce explicit expiry for all remaining elevated access.
- Treat API and mobile controls as governance priorities Baseline authentication strength, token handling, authorisation checks and logging for APIs and mobile channels that expose public services, because those interfaces often become the control plane for compromise and recovery.
What's in the full analysis
Swarmnetics' full article covers the policy detail and implementation context this post intentionally leaves for the source:
- How the £210 million plan is structured across the three phases and why the timeline matters for delivery.
- Which public-service security standards are being proposed for departments and critical infrastructure operators.
- Where the voluntary Software Security Code of Practice may leave gaps in mobile and API security.
- Why the Government Cyber Unit and new GCSO role change accountability across incident response.
👉 Read Swarmnetics' analysis of the UK cyber action plan and public-service security debt →
UK cyber action plan: what it means for public sector security teams?
Explore further
Public-sector cyber debt is now a resilience problem, not just a security problem. When essential services run on legacy estates, the loss of availability becomes the main business impact, and security programmes need to be judged on recovery and containment as much as prevention. That shifts the governance question from isolated controls to service-wide survivability. Practitioners should treat resilience as a control objective, not a side effect.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected.
A question worth separating out:
Q: Who is accountable when cyber resilience fails?
A: Accountability sits with the executive owners of continuity, security, and identity governance, because resilience is cross-functional. The board expects a coordinated operating model, not isolated technical ownership, and insurers will evaluate whether the organisation can demonstrate evidence, containment, and recovery under policy conditions.
👉 Read our full editorial: UK cyber action plan exposes the scale of public sector security debt