Public Sector Leads UK Industries in Cyber Policy Strength, New Study Finds

Public sector organisations have emerged as the UK’s strongest performers in cybersecurity policy, outpacing all other industries in their ability to translate written rules into real-world resilience, according to new research from compliance training provider Skillcast.

The Cyber Culture Clash study analysed the gap between policy and practice across the UK’s largest organisations in multiple sectors. It found that the public sector achieved a 79 percent policy-to-practice alignment, scoring a ratio of 4:5 – the highest of any industry measured.

While no sector is immune to rising cyber risks, the report highlights that public bodies have made progress in building robust frameworks, training staff and reducing exposure to threats. The public sector was the only industry to record a decline in cyberattacks reported to the Information Commissioner’s Office (ICO) over the past year, even as other industries saw increases.

Leading on Policy and People

The report attributes much of this success to the sector’s structured approach to governance and training. Eighty percent of public sector organisations analysed had a dedicated, documented cybersecurity policy compared to just 10 percent in energy and retail. Furthermore, all public sector bodies examined were registered under the UK Government-backed certification scheme, Cyber Essentials Plus.

The study also found that public sector staff recorded the lowest phishing click rates across all sectors.

Each industry in the study was rated on two scales out of 260 points – one for policy and one for practice. The policy score assessed cybersecurity frameworks, regulatory references, and certifications like Cyber Essentials Plus, while the practice score measured operational realities such as staff size, attack frequency, and phishing susceptibility.

Vivek Dodd, CEO at Skillcast, said the findings demonstrate how the public sector has turned past crises into catalysts for improvement.

“While some of this progress may reflect threat actors pivoting toward more lucrative private-sector targets, it also signals genuine improvement following high-profile incidents like the NHS attack, which spurred sector-wide reform,” he said.

“Public bodies excel at establishing frameworks, but maintaining agility as threats evolve remains the real test. Policies must keep pace with rapidly shifting attack vectors – what’s compliant today may be inadequate tomorrow.”

He added that the findings indicate a growing maturity in how public bodies approach cybersecurity, shifting from compliance checklists to a culture of adaptive resilience.

“Our ‘Cyber Culture Clash’ research shows the public sector is successfully transforming compliance culture into genuine cyber maturity,” said Dodd. “The challenge now is sustaining that momentum – ensuring systems remain not just compliant, but responsive and resilient against the evolving threats targeting the critical services millions depend on.”