Managing Cyber Security in the public sector comes with unique challenges. With extensive government requirements, evolving cyber threats, and multiple priorities to balance, it can feel like a lot to navigate.
To make it easier, we’re breaking down the UK Government’s Cyber Security Strategy into clear, actionable steps. Drawing on our experience with public sector organisations, we’ll explain each objective, what it means for your role, and how you can plan effectively.
In part one, we covered Objective 1: Managing Cyber Security Risk. Now, we turn to Objective 2: Protecting Against Cyber Attacks.
Whether you’re managing today’s tasks or preparing for what’s ahead, here’s what you need to know to meet these goals.
Objective 2: Protect Against Cyber Attack
Is this objective, it’s clear that the The National Cyber Security Centre is stepping up its game to protect against cyber-attacks. They want to make sure that critical infrastructures have the right level of security based on the risks they face.
They’re also rolling out centralised tools to make it easier (and more cost-effective) for everyone to stay protected. Also, each organisation will be responsible for managing their risks. They will need to show they have the right defences in place in order to tackle data breaches.
Let’s break down how they plan to do this with their five specific outcomes.
Outcome 9: Secure Technology and Digital Services
Strong defences start with strong foundations. The National Cyber Security Strategy’s plan to introduce “Secure By Design” approach. It includes Cyber Security in every stage of a system or service’s lifecycle.
It shifts from reactive measures. This means security risks are not an afterthought. Instead, it is a continuous process. It evolves with new threats and technologies to protect information security.
- 1. Security at Every Step
The Secure By Design framework integrates security into key stages, including:
- Planning: Before any project begins, teams will outline how security measures will be implemented and maintained throughout the system’s lifecycle.
- Procurement: Clear Cyber Security standards are included in contracts. This ensures that any technology or service bought meets strong security requirements.
- Development and Deployment: Security experts are embedded in development teams to provide consistent guidance, ensuring potential vulnerabilities are addressed proactively rather than patched later.
- Operations: Ongoing monitoring ensures systems remain secure as they evolve or encounter new threats.
- Decommissioning: Secure processes will be in place for retiring outdated technology. This will ensure sensitive data isn’t exposed during the transition.
- 2. Consistent Guidelines and Tools
To ensure every organisation operates at the same high standard, the framework includes:
- Blueprints and Patterns: Pre-defined templates that help organisations build systems securely from the ground up.
- Design Principles: Clear rules that outline what a secure system looks like and how it should function.
- Best Practices: Published guidelines for public sector organisations, ensuring there’s no ambiguity about what’s expected.
- 3. Tackling Legacy IT Risks
As a public sector leader, you know outdated technology poses one of the greatest challenges to public sector Cyber Security. Legacy IT systems often lack modern security features, leaving organisations vulnerable to security threats. The secure by design framework directly addresses this by:
- Encouraging the upgrade, replacement, or secure management of older systems.
- Allocating investments to ensure IT infrastructure remains resilient against emerging threats.
- Embedding modern safeguards into legacy systems when replacements are not immediately possible.
- 4. Aligned with Broader Standards
The Secure By Design framework doesn’t operate in isolation—it aligns with key Government standards:
- The Service Standard: Ensuring public services are designed and delivered securely.
- The Technology Code of Practice: Requiring security measures in all Government technology spending.
These alignments create clarity and ensure consistency in all organisations and projects.
- 5. A Commitment to Innovation
One of the framework’s strengths is its ability to balance security with innovation. The Government works closely with industry partners and academia to test new technologies. These solutions are piloted to ensure they meet security requirements before being rolled out at scale.
By embedding security into every phase, the Government reduces vulnerabilities, manages risks proactively, and ensures public trust in the services it provides.
For public sector leaders, this approach gives you the tools and support you need. You can create secure systems and manage old risks. You can also adopt new technologies with confidence. This helps build resilience in your organisation.
Outcome 10: Cyber Security Controls
One size doesn’t fit all when it comes to Cyber Security. Each public sector organisation has its own functions, threats, and risks. This means you must customise your Cyber Security measures to fit specific needs.
The Government’s approach ensures controls are proportionate, effective, and aligned with organisational priorities while maintaining consistency across departments.
Cyber Security Strategy And Governance: What Are Cyber Security Controls?
Cyber Security controls are safeguards or measures—like firewalls, encryption, and access restrictions—designed to protect systems and data.
These controls are applied based on:
- Risk profiles: The level of threat and the criticality of an organisation’s functions.
This tailored approach ensures resources are spent wisely, focusing on where they’re needed most.
How It Works: A Risk-Based Approach
The Government uses the Cyber Assessment Framework (CAF) to find out an organisation’s risk profile. It also defines the needed security results.
This ensures:
- Proportionality: Organisations implement controls that match their specific threats and critical functions, avoiding unnecessary complexity or cost.
- Specific controls: Organisations with higher risks (e.g., handling classified data) will apply additional measures tailored to their needs.
Handling Classified Information
Systems managing sensitive information classified as SECRET or TOP SECRET require additional controls. These are centrally managed to ensure they meet strict security requirements and are regularly assured for compliance.
Government Cyber Security Strategy UK: What Should Public Sector Leaders Focus On?
- Understand your organisation’s risk profile: Work with your team to identify critical functions and the level of threats you face.
- Apply proportionate controls: Ensure security measures are appropriate for your specific risks and aligned with CAF guidance.
- Leverage centralised support: Use the policies, tools, and resources provided by lead departments to implement effective safeguards.
- Stay informed: For systems handling classified information, follow central Government standards to maintain compliance.
Outcome 11: Secure Configuration
Even the most securely designed technologies can be vulnerable if not set up properly. That’s why the Government is focusing on secure configuration—ensuring systems, software, and devices are configured to meet robust security standards. This approach reduces vulnerabilities and ensures consistency across organisations.
What is Secure Configuration?
Secure configuration means setting up systems and technology in a way that minimises risks, such as:
- Changing default settings to prevent easy access by attackers.
- Removing unnecessary features or permissions that could be exploited.
- Ensuring systems align with established security standards.
Poor configuration—whether due to oversight or lack of guidance—remains one of the most common causes of vulnerabilities.
Why is This So Important For The Public Sector?
As the Government continues its digital transformation, the number of systems, tools, and platforms in use is growing. Without proper configuration, even widely used tools like email and document-sharing platforms can become weak points in an organisation’s Cyber Security.
How Will This Be Achieved?
1. Standard Configuration Profiles
The Government is working with suppliers to develop secure configuration profiles for commonly used technologies.
These profiles will:
- Provide clear guidelines for securely setting up tools and systems.
- Be continuously updated to address new threats and requirements.
- Enable consistent setups across all organisations, simplifying processes.
2. Focus on Productivity Suites
Misconfigured productivity tools, like email or collaboration platforms, are a frequent source of vulnerabilities. The Government is collaborating with major providers to create baseline security configurations for these tools. These guidelines will help public sector organisations set up their productivity suites securely and reduce common risks.
3. Easy Auditing and Monitoring
Standard configurations will be designed to make auditing simple. This allows organisations to quickly identify and address risks, while also enabling cross-Government visibility to respond to emerging threats.
What Does This Mean for You?
As a public sector leader, secure configuration means:
- Ensuring your team follows clear, standardised guidelines for setting up and maintaining systems.
- Regularly audit configurations to identify potential vulnerabilities before someone can exploit them.
- Taking advantage of the Government’s secure configuration profiles to streamline your organisation’s Cyber Security processes.
Outcome 12: Shared Capabilities
Cyber Security is a team effort. The Government’s shared capabilities approach helps public sector organisations tackle common challenges. Centralised tools, services, and programmes like Active Cyber Defence (ACD) reduce risks and improve resilience. This strategy also delivers value for money and encourages innovation.
Why Are Shared Capabilities Essential?
Many Cyber Security challenges are universal. Protecting websites, detecting malicious activity, and responding to threats are common issues for all organisations.
The Government’s shared capabilities approach avoids duplication by focusing on:
- Centralised solutions: Tools that can be deployed across multiple organisations to streamline defences.
- Consistency: A unified approach that ensures all organisations benefit from the same high standards of protection.
- Efficiency: Saving time and resources by addressing widespread risks collectively.
How Does the “Defend as One” Strategy Work?
Many Cyber Security challenges are universal. Protecting websites, detecting malicious activity, and responding to threats are common issues for all organisations. The Government’s shared capabilities approach avoids duplication by focusing on:
1. Shared Tools and Services
The Government is scaling up its shared capabilities to address common Cyber Security issues. These include:
- Central protections for gov.uk domains: Ensuring all public sector websites are secured under a consistent framework.
- Standard configuration profiles: Developed with suppliers to provide secure, auditable settings for widely used tools and systems.
The NCSC’s ACD programme automates threat detection, prevention, and disruption to tackle the majority of cyber attacks before they can cause harm. Some key capabilities include:
- Takedown Service: Identifies and removes malicious websites.
- Protective DNS: Blocks access to harmful domains and prevents malware from communicating with control servers.
- Host-Based Capability: Monitors devices across government networks for suspicious activity.
- Cyber Threat Intelligence Adaptor: Provides rich, actionable intelligence to authorised organisations.
Self Service Tools:
- Early Warning: Alerts organisations to potential attacks.
- Mail Check: Helps secure email systems by assessing compliance and adopting secure standards.
- Web Check: Identifies and resolves security issues on public sector websites.
- Exercise in a Box: Offers realistic scenarios to practise incident response.
Your Role in Strengthening Shared Security
- Leverage shared tools: Take full advantage of programmes like ACD to harden your organisation’s defences.
- Collaborate with peers: Engage with other public sector organisations to identify common challenges and share best practices.
- Stay informed: Keep up to date with new tools and services as they evolve to address emerging threats.
The shared capabilities approach embodies the Government’s “defend as one” philosophy, ensuring that public sector organisations work together to protect the UK’s critical services and data.
Outcome 13: Information and Data Security
You handle sensitive information every day, and you know how important it is to keep it secure. From personal details to classified data, protecting it is a big responsibility. The Government’s strategy is here to help you manage and share it safely.
Outcome 13 focuses on classifying, managing, and securing data. It also addresses the risks from new technologies and skilled attackers.
Ensuring Information is Classified Correctly
Not all data carries the same level of risk, and appropriate classification is critical to protecting it. The Government’s Security Classifications Policy provides:
- Clear guidance on how to classify and handle different types of information based on risks and threats.
- Tailored protections for data, ensuring that highly sensitive information is treated with the strictest security measures.
To strengthen this approach, the Government will update its policies to:
- Better safeguard data at the OFFICIAL tier, which makes up the majority of Government information.
- Offer clearer guidance to users in modern work environments where data is handled in more flexible ways.
Improving Secure Data Sharing
With the National Data Strategy, the Government aims to improve how data is shared and used across departments. This involves:
- Robust security measures: Ensuring data is shared securely and consistently without risking its integrity or confidentiality.
- Enhanced collaboration: Making it easier for public sector organisations to work together using shared, secure data.
Tackling Emerging Technologies
New technologies present both risks and opportunities. The Government is preparing to address these through proactive measures:
- Artificial Intelligence (AI)
- Improving defences: AI can enhance Cyber Security by identifying threats faster and automating responses.
- Mitigating risks: Poorly implemented AI could create new vulnerabilities, so ensuring its secure use is a priority.
- Preventing AI-driven attacks: The Government will counter adversaries leveraging AI for malicious purposes.
- Quantum Computing
Quantum computers, a new branch of computer science could eventually render current encryption obsolete.
To mitigate this, the Government plans to deploy quantum-safe cryptography across its systems when necessary, ensuring long-term data protection.
Specialised Systems for Sensitive Data
For higher-risk data that needs extra protection, the Government uses tools like Rosa. Rosa is a cross-Government service for handling SECRET information. Key features of Rosa include:
- Advanced protections: Making it more difficult for adversaries to access sensitive data.
- Scalable use: With continued investment, Rosa will expand to support more users and use cases.
Deploying Advanced Protections
The Government recognises that even the most robust measures may not stop determined attackers, such as state-sponsored adversaries. To counter these threats, it will deploy:
- Advanced detection and protection techniques to identify and disrupt sophisticated attacks.
- Offensive Cyber Security capabilities, combined with international partnerships, to deter and neutralise adversaries.
Why This Matters for Public Sector Leaders
As a public sector leader, Outcome 13 provides you with a roadmap for:
- Embracing new technologies securely: Leveraging innovations like AI while mitigating associated risks.
- Building resilience: Using tools like Rosa and quantum-safe cryptography to protect your organisation’s most critical data.
- Collaborating effectively: Improving how data is shared and used across departments without compromising security.
Strengthening Defences, One Step at a Time
We’ve covered the Government’s bold approach to tackling cyber attacks and improving threat detection across the public sector. The strategy focuses on embedding security into every stage of technology’s lifecycle. It also emphasises collaboration through shared capabilities. The message is clear: resilience and proactive defence are essential.
But there’s more to uncover. In the next instalment of our guide, we’ll tackle the more objectives, helping you gain a complete understanding of how these plans will shape the future of Cyber Security in the public sector.
If you’d like to discuss how we can support your Cyber Security strategy, contact us on 0121 663 0055 or email enquiries@equilibrium-security.co.uk.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
About the author
