New research from cybersecurity firm Trend Micro reveals a stark reality: 60% of IT leaders within the UK public sector believe a successful cyber-attack is “only a matter of time.”

The study of 250 IT public sector leaders highlights a growing concern that evolving tactics from threat actors are outstripping internal capabilities and skill-sets.

Phishing is viewed as the most significant threat over the next two years by 60% of respondents, closely followed by ransomware at 41%. These concerns come as the government deliberates strategies to combat cyber threats, including a potential ban on ransomware payments in the public sector.

Beyond external threats, the research points to critical internal vulnerabilities. Nearly one-third (31%) of IT leaders admit that a lack of proactive threat hunting and risk management leaves their organizations exposed. If breached, 24% believe it would take between one to three days to identify a ransomware attack, with the average response time hovering around one day and six hours, underscoring a reactive rather than proactive defence posture.

A major contributing factor to this reactive stance is time constraint; almost half (49%) of leaders are so overwhelmed by immediate cybersecurity challenges that they lack time for strategic planning. Furthermore, 42% of respondents identified the absence of a comprehensive, cybersecurity-first culture across the broader workforce.

This manifests in concerning behaviours like employees intentionally bypassing security protocols (47%) and prevalent human error (39%), indicating a disconnect between training and practice.

Jonathan Lee, UK cybersecurity director at Trend Micro, warned that the public sector remains a “prime target” for cybercriminals, citing recent incidents like breaches affecting NHS suppliers and The British Library.

In response, IT leaders are rethinking their approach, with 38% planning to adopt advanced technologies, including Generative AI, by 2027 to bolster threat detection capabilities, acknowledging that traditional defenses are no longer sufficient against sophisticated attacks.

