Editorial

The new reality for public sector cybersecurity in 2026

Resilience is now critical in the face of such a persistent threat, says Northdoor plc’s Chief Commercial Officer, AJ Thompson.

Posted 8 July 2026 by Christine Horton


The UK public sector is facing a complex cybersecurity challenge. Over the past year, a number of attacks against public services, critical infrastructure and organisations connected to the public sector have highlighted the fact that cyber-attacks are no longer an expectational event, but an operational reality that all in the sector must prepare for.

The consequences are also increasingly visible. Disruption to healthcare services, attacks against transport systems, compromises of third-party suppliers and growing concerns around critical national infrastructure have demonstrated how cyber incidents can quickly move beyond IT departments and impact frontline services.

What makes the challenge particularly difficult for public sector leaders is that the threat is evolving at a time when budgets remain constrained, skills shortages persist and many organisations are still managing significant amounts of legacy technology. Security leaders are being asked to defend increasingly complex environments with limited resources.

New reality demands a shift in thinking

For many years, understandably, cybersecurity strategy was primarily focused on prevention. The objective was to stop attacks from happening in the first place. Whilst prevention remains a vital element in defensive tool boxes, but the modern threat landscape requires a much broader perspective. The question is no longer simply whether an organisation can prevent every attack. The nature of modern, AI-driven attacks means it is less about whether you can keep an attack out, but more how you respond to a breach when inevitably one gets through.

This is particularly relevant for the public sector because the stakes are fundamentally different from those in many private sector organisations. A cyber incident affecting a retailer may impact sales and reputation. A cyber incident affecting a local authority, an NHS Trust, education institution or government agency can disrupt essential services that the public depend upon every day.

The focus therefore must be on maintaining service continuity as much as protecting systems.

The continuing threat from supply chains

One of the most significant risks facing the public sector today comes not from within organisations themselves, but from the extensive networks of suppliers, partners and technology providers that support service delivery.

The public sector has become increasingly interconnected and complex. Whilst this has undoubtedly created efficiencies, the number of companies that have direct connection into public sector systems is now very large indeed, and cybercriminals fully understand this.

Rather than targeting their primary target, usually a well-defended organisation directly, cybercriminals often look for weaker links elsewhere in the supply chain. A single compromised supplier can provide access to multiple organisations, creating a multiplier effect that makes supply chain attacks particularly attractive.

The impact of the Synnovis ransomware attack provided a powerful reminder of how third-party compromise can have significant consequences for public services and the individuals who rely on them. Yet supply chain security remains one of the most challenging areas for public sector organisations to address.

Many organisations simply do not have complete visibility of every supplier, application, data flow and dependency that supports service delivery. Over time, technology estates evolve, contracts change and new digital services are introduced. The result can be an ecosystem that is difficult to map, let alone secure consistently. This is especially in the face of reduced budgets and internal resources. Indeed, it begins to look like a near impossible task.

A pragmatic approach is now critical

Public sector leaders need a clear understanding of their digital ecosystem. Which suppliers have access to sensitive data? Which systems are essential for service continuity? Which third parties represent the greatest operational risk if compromised?

These questions are often more valuable than broad compliance exercises because they help public sector organisations prioritise limited resources where they will have the greatest impact.

Few public sector organisations have the budget to address every vulnerability immediately. Almost none of them have the resources to replace every legacy platform or implement every desirable security control at once. The reality is that security leaders are constantly balancing risk against operational necessity.

That balancing act is becoming increasingly difficult as attackers exploit both technological and human vulnerabilities.

Artificial intelligence is helping cybercriminals automate phishing campaigns, improve social engineering techniques and increase the scale of attacks. At the same time, many successful breaches still rely on familiar weaknesses such as poor identity controls, inadequate authentication, unpatched systems and insufficient visibility across environments. In other words, while the technology behind attacks may be evolving, many of the underlying vulnerabilities remain stubbornly consistent. The employee remains for the most part the weakest link in a defensive strategy and it might not even be the employee of the primary target, but rather one of a partner.

The organisations that demonstrate the greatest resilience are rarely those with the largest budgets. They are typically those with the clearest understanding of their risks and the discipline to focus on what matters most.

For this to happen cybersecurity and resilience have to become an everyday part of an organisation’s operations rather than purely a technical one. 

Boards, executive teams and operational leaders increasingly need to understand cyber risk in the same way they understand financial, regulatory or operational risk. Security decisions should be linked directly to organisational priorities and service outcomes. Indeed, set in an increasingly complex regulatory landscape, senior public sector leaders are now being held personally responsible for breaches and data loss.

The objective is not to eliminate risk entirely. With such sophisticated attacks it is almost impossible for any organisation to achieve this. The objective is to understand risk sufficiently well to make informed decisions.

This principle becomes even more important as public sector organisations continue their digital transformation journeys.

Gaining an understanding of vulnerabilities within supply chains

The drive to modernise services, improve public experiences and increase operational efficiency will inevitably introduce new technologies, new suppliers and new dependencies over the coming months and years. It is crucial that innovation should not stop because of cyber risk. However, security considerations must be integrated into transformation programmes from the outset rather than added retrospectively.

Some are turning to AI-driven 360-degree solutions that can provide an overview of vulnerabilities in partner networks. Not only does this work for existing companies within supply chains, but also for potential partners. This allows public sector organisations to talk to partners and close vulnerabilities before cybercriminals can take advantage or before contracts are signed.

This is particularly important as the threat facing the public sector is not going to go away any time soon.  Against this backdrop, public sector organisations must look to solutions that can provide insight to prevent attacks and build resilience in the face of a successful breach.

The organisations that succeed will not necessarily be those that spend the most. They will be those that understand their risks, focus on their critical services, strengthen their supply chains and build the resilience needed to continue serving the public in an increasingly uncertain world.

Event Logo

If you are interested in this article, why not register to attend our Think Digital Identity and Cybersecurity for Government conference, where digital leaders tackle the most pressing issues facing government today.


Register Now