The Department for Science, Innovation and Technology (DSIT) is tackling cyber risks head-on with a new vulnerability monitoring service (VMS) for government services.
The new service focuses primarily on weaknesses in the Domain Name System (DNS), which can allow attackers to redirect users to fraudulent sites, steal sensitive data, or take services offline entirely.
While weaknesses in government DNS records have previously gone unnoticed for up to two months, the VMS brings that down significantly – alerting users, giving practical guidance on how to fix the problem, and tracking progress until issues are resolved.
"Cyber attacks aren’t abstract threats — they delay NHS appointments, disrupt essential services, and put people’s most sensitive data at risk,” said minister for digital government Ian Murray.
When public services struggle it’s families, patients, and frontline workers that feel it.”
How does the Vulnerability Monitoring Service work?
The VMS continuously scans 6,000 UK public sector bodies, detecting around 1,000 different types of cybersecurity vulnerabilities.
According to Murray, the VMS has proven highly effective so far, helping to reduce the median time to fix domain-related vulnerabilities from 50 days to just eight - an 84% improvement.
Similarly, the median time to fix other cyber vulnerabilities has been cut from 53 days to 32.
The backlog of critical open domain-related vulnerabilities has also dropped by 75%, with around 400 confirmed vulnerabilities processed and resolved each month.
"The vulnerability monitoring service has transformed how quickly we can spot and fix weaknesses before they’re exploited so we can protect against that,” Murray commented.
“We’ve cut cyber attack fix times by 84% and reduced the backlog of critical issues by three quarters. And as the service expands to cover more types of cyber threats, fix times are falling there too."
Positive steps, but not far enough
Kevin Marriott, senior manager of cyber at Immersive, said the new service marks a step in the right direction for public sector cybersecurity, which has traditionally lagged behind the private sector due to a combination of factors.
"The public sector has always had an uphill task in fixing vulnerabilities quickly due to the scale of government networks and their interconnectivity, as well as limited budgets and small security teams that can’t always keep pace with the growing patch backlog," he said.
"It shows that reducing risk doesn’t require radical, wholesale changes but rather doing the fundamentals well. A strong vulnerability management strategy starts with clear visibility, an understanding of which are your key assets, what they do, their dependencies, who their owners are, and an accurate asset inventory."
Stephen Fewer, senior principal researcher at Rapid7, said the government could go further in bolstering security capabilities.
"A key focus for the government should be limiting the internet exposure of critical applications and management interfaces, ensuring they are never exposed to the public internet," he said.
"Government organizations such as the NHS have many network edge appliances, including VPNs and firewalls, that cyber criminals can exploit. Reducing the attack surface is the next best defence after remediating known weaknesses.”
New initiative looks to recruit cyber pros
The government has also launched a new Cyber Profession initiative, based in the North West and aimed at recruiting and training cyber professionals to further bolster government security capabilities.
A new dedicated Cyber Resourcing Hub will be established as part of the scheme to streamline recruitment and create a clear career framework aligned with UK Cyber Security Council professional standards.
It will also include a government Cyber Academy for training and development, a new apprenticeship scheme to build future talent, and structured career pathways to strengthen long-term capability across the public sector.
Wayne Cleghorn, cybersecurity and data protection partner at Excello Law, welcomed the launch, but noted this needs to be a sustained effort to ensure a steady flow of talent into the public sector.
"The UK National Audit Office's identification of a serious cybersecurity skills gap in government is being addressed by the announcement of a new cyber profession for government," he said.
"However, this must be more than a re-badging of existing activities. It must be serious and consistently measured. It must become deeply embedded in government information governance and data protection practices."
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Claude Code flaws left AI tool wide open to hackers
UK firms are dragging their heels on AI training
Finance and security leaders are odds over cyber priorities, and it’s harming enterprises
UK’s ‘Tech Prosperity Deal' with US hits rocky ground
ServiceNow to acquire Veza in major identity security play
Pax8 and Microsoft are teaming up to supercharge MSP growth
Cyber Security and Resilience Bill: Security experts question practicality, scope of new legislation
Lack of visibility creates "cascade" of security risk, says Kiteworks
Public sector cyber leaders are tired of clunky, outdated tools
SonicWall appoints Michael Crean to lead new Managed Security Services Division
