With threat actors increasing their persistence of phishing and social engineering attacks on the UK public sector, identity security has increased significantly in importance for local and central government.
While the public sector is responsible for protecting sensitive public data, the overarching priority centres on how best to guard the identities of those working within Civil Service.
With threat actors finding new pathways to gain entry to organisations, how can the public sector embed identity security at the heart of defence strategies to mitigate the challenges behind identity theft?
Implement specific detection engineering
Out of the box detection rules do not provide public sector departments with suitable detection and response monitoring, especially not for identity protection. Threat detection and response should utilise known user behaviour and external threat intelligence to engineer unique detection rules for improved monitoring. Creating organisation specific rules sets to identify and contain malicious behaviour.
In practise this looks like active response that is predefined by an internal team, or with the support of an external supplier, that uses historical log data to create and test immediate containment rules. We refer to this as ‘contain first and investigate immediately’. Ensuring that unusual user behaviour is immediately contained preventing the possible lateral movement of a threat actor and is investigated immediately by an expert cyber analyst to confirm the alerts validity.
Additionally, the proactive use of threat hunting allows public sector departments to have awareness of potentially compromised user credentials and proactively enforce password resets to prevent initial access.
Principle of least privilege, zero trust and continual verification
In an instance where specific detection engineering is currently not available, principle of least privilege, zero trust and verification measures decelerate the rate of lateral movement of threat actors if they are successful in gaining initial access. The principle of least privilege is a best practice process that focusses on allowing minimal permissions to users based on access requirements necessary for them to perform their role. By using this principle, compromised accounts have limited access to admin controls, ultimately slowing down the progress and impact of threat actors.
Adopting zero trust means moving from one-time checks to continual verification. Every user, device and application must be authenticated and authorised each time they request access. To make this effective, organisations need clear identity lifecycle management, from onboarding to access reviews to timely deprovisioning. Alongside this, strong governance frameworks must set out who can access what, under which conditions, and for how long, ensuring accountability and reducing unnecessary exposure.
Whilst moving from single-factor authentication (SFA) to multi-factor authentication (MFA) has become standard practice, public sector organisations must further evolve to risk-based authentication. This adapts security requirements based on contextual factors such as location, device, and behaviour patterns, offering a more sophisticated approach that balances security with user experience.
If you liked this content…
e2e-assure partners with Validato on public sector cybersecurity
UK councils report 2,400 suspected data breaches
Employee and non-employees: breaking down the siloes
Public sector must overcome challenges to fulfil digital ambitions
Central government leads the way in data analytics and AI for public sector transformation
Multi-factor authentication (MFA) has become standard practice across most organisations, including public sector teams but some organisations are still yet to mandate its use. This layer of protection, although not perfect, does create another layer if difficulty for a threat actor which depending on their motive may be enough to deter them from attempting initial access. Moreover, logs from these controls can be used in specific detection engineering to flag possible malicious attempts at user access.
These processes are not impenetrable, but they help make public sector teams harder targets for threat actors. Ideally, public sector organisations should lean on the expertise of leading Threat Detection and Response providers utilising the threat intelligence pools they have access to. This will not only reduce detection and response times but also mature their cybersecurity measures improving identity security and holistic resilience to cyber threats.
Humans form the first line of defence
Technology alone cannot solve the identity security challenge. Public sector organisations must invest in comprehensive security awareness programmes that help staff recognise and respond to identity-based attacks, such as phishing and social engineering attempts. Organisations should consider using simulations to demonstrate MFA setup, and common challenges, and benefits. Ultimately, it’s vital as threat tactics advance for public sector organisations to continually assess controls and authentication systems.
A ‘one and done’ approach to cybersecurity is not advised for organisations strengthening digital identity access. Instead, regular testing and assessment of detection rules should be carried out to ensure that maximum coverage and posture is still being achieved. We refer to this as Detection Surface Validation and run this with our customers quarterly.
The path forward: policy and long-term resilience
As the government announced this year the launch of the GOV.UK Wallet, a digital identity wallet, the public sector needs to balance the opportunities and risks. The benefit of the initiative means the security and verifications measures have increased, allowing for users to access their documents via biometric verification such as facial or fingerprint recognition. Despite these clear benefits, organisations need to be aware of the potential implications of storing and centralising sensitive information in one place if threat actors were to gain entry.
The government’s other ongoing cybersecurity initiatives provide a foundation, but public sector departments need specific guidance on identity security implementation, to not only address their unique operational requirements but also maintain consistency and ensure continuity of government services.
Beyond certification schemes such as Cyber Essentials, the Cyber Assessment Framework (CAF) provides a structured way for public sector organisations to assess and strengthen identity security. Objectives such as D1a and D1b directly address incident response and access management, requiring clear definitions of user roles, comprehensive coverage of authentication controls, and continual testing against known and emerging attack patterns. By mapping identity practices against CAF objectives, public sector security leads can gain a practical benchmark to evidence resilience, demonstrate compliance, and identify gaps before they are exploited.
Additionally, the Cybersecurity and Resilience Bill aims to address current vulnerabilities for the public sector and assist in guiding them to build strong resilient cyber foundations. These certifications and regulations will help steer organisations into prioritising testing and simulation of attacks, helping them see vulnerabilities before they are exploited.
Identity protection can no longer be treated as a technical add-on. It must sit at the centre of public sector cyber strategy, backed by the right controls, testing and skilled expertise. By combining regulatory frameworks such as CAF with tailored detection engineering, continual verification and proactive analyst oversight, departments can move from reactive defence to assured resilience. Our focus is to help public sector organisations achieve that shift, making identity a strength rather than a weakness, and ensuring the continuity of the essential services that citizens rely on every day continue without interruption.
