BSI survey highlights significant variations in data security readiness within UK Public Sector

05 September 2018 


  • More than three-quarters of UK public sector bodies have experienced a security breach in the last 12 months
  • Loss of data named as single biggest concern among public service organizations when it comes to Shadow IT
  • Disaster recovery / business continuity main reason for adaption to cloud  

A survey compiled by BSI‘s Cybersecurity and Information Resilience centre of excellence in conjunction with GovNewsDirect has unearthed a range of inconsistencies in how prepared the UK’s public sector organizations are for potential cyber-attacks and data losses. 

Actual security breaches

In the last 12 months, 77 per cent of organizations surveyed had suffered a security breach. The most common causes were staff error (32 per cent), phishing (30 per cent), malware (18 per cent), ransomware (11 per cent) and Denial of Service (7 per cent) attacks. 

Although 94 per cent of organizations said they have a plan in place to handle data breaches, 58 per cent said they are concerned or not confident about being able to access their application systems in the event of a cyber-attack. 

Data security concerns and challenges

In today’s agile working environment remote access has become integral to the provision of public services with over 73 per cent of all staff having access to emails, while nearly one in five of all staff members have access to their organization’s Customer Relationship Management (CRM) system remotely. The research also highlighted that 31 per cent of organizations offer a ‘Bring Your Own Device’ (BYOD) policy that applies to all staff. 

The threat of data security breaches is exacerbated by the rise in ‘shadow IT’, that is often used without the authorization of IT managers. Organizational concerns around shadow IT include: data loss (82 per cent), security (78 per cent) and unauthorized applications (51 per cent). 

Cloud adoption

The transition towards cloud-based IT systems is one of the positive findings of the research, with 52 per cent of public sector bodies now using Office 365 – and a further 30 per cent in the process of adopting to it. 68 per cent of respondents said that disaster recovery / business continuity was the main reason for moving to the cloud, followed by the ability to provide mobile / remote working access (58 per cent) and security (57 per cent). 

Commenting on the survey, Stephen Bowes, Head of Solutions Delivery and IT at BSI said: “The results of our survey highlight security concerns and implications associated with the transition to cloud data management systems as well as the threat of ‘shadow IT’[i]. It also shows that responsibility for data security remains a grey area within public sector bodies.” 

“Above all, the survey demonstrates the need for organizations to invest in training and education to increase awareness of data security challenges amongst staff and stakeholders,” Stephen says. “Often by the time a breach takes place it’s already too late, so preparation is everything.” 

“Awareness is no substitute for preparation”

“Our research shows first of all that awareness of cybersecurity is definitely growing right across the spectrum of the UK public sector,” says Stephen Bowes. “However, different organizations are at different stages of their digital journey and as the pace of IT innovation and digital transformation continues to quicken, there are inconsistencies in how prepared organizations are in the event of a cyber-attack or a data loss incident.” 

“When it comes to data security, awareness is no substitute for preparation.” concludes Stephen Bowes. “Data is as important to public services as personnel and physical infrastructures, and everyone has a responsibility to protect it.  Embedding best practice and proper training when it comes to storing sensitive data is imperative to the important work the public sector does in protecting its citizen’s security and privacy.” 

A wide range of organizations (745 in total) were surveyed for this research including Central and Local Government, Healthcare, Education and Blue Light emergency services, with respondents drawn from senior levels across C-suite positions, directors, senior and line managers and lead officers. 

BSI’s Cybersecurity and Information Resilience centre of excellence provides a range of solutions to help organizations address their information challenges covering cybersecurity, information management and privacy, security awareness, and compliance and testing. For more information visit




Editor’s note: 

Research was compiled by BSI in conjunction with GovNewsDirect to examine the robustness of the public sector against cyber-attacks and other threat to data security. It examines preparedness in the event of a malicious attack, the extent to which security measures are already in place and organizational attitudes towards information resilience. The results of the survey allows those who took part and others to benchmark themselves against the wider public sector and review their systems and contingencies for data security. 

[1] The downloading and use of productivity applications on both work and personal devices