IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
Public sector cyber training gaps exposed in survey

Public sector cyber training gaps exposed in survey

Wed, 8th Jul 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

Skillcast has published research showing gaps in cybersecurity training among UK public sector workers. The study found that 85% of respondents said they could spot a phishing attempt.

The findings point to a mismatch between staff confidence and recent training. More than a quarter said they had not received effective cybersecurity training in the past 12 months, or at all.

The compliance training provider surveyed 200 public sector employees for a report on awareness of workplace cyber risks. It found that risky behaviour remains common, even where staff say they understand the threat.

Just under 17% of respondents said they connect their work device to public Wi-Fi networks in places such as coffee shops or on public transport. Nearly half, 45%, said they use their work device to check personal emails and social media at least some of the time.

Awareness of internal rules was also uneven. While 82% said they were familiar with their organisation's cybersecurity and data-handling policies, 16% said they only knew a policy existed and 2% said they were completely unaware of it.

The report comes amid continued concern over cyber incidents affecting public bodies, including higher education institutions. Public services remain a target because of the volume of personal data they hold and the disruption attacks can cause.

Training gaps

Skillcast also cited a separate Freedom of Information request, which found that 10% of local councils have what it described as robust cybersecurity policies in place. The comparison suggests weaknesses may extend beyond individual staff behaviour to organisational controls.

Sofia Chaqiri, Senior Client Partner for the Public Sector at Skillcast, said: "Cyber-attacks are becoming more sophisticated and widespread, and the public sector is a key target because of the volume of data organisations hold and the potential disruption to vital services in sectors such as healthcare and transport.

"The government signalled its determination to tackle cyber-attacks in the public sector at the start of the year with the launch of its Cyber Action Plan.

"Our data suggests that while most people are confident they could spot a phishing email and generally follow good practices, there are clear gaps in training.

"The fact that some people haven't received effective training for at least 12 months is particularly worrying. They may understand the risks in theory, but it is easy to let your guard down when working quickly or casually scrolling through social media on a work device at home."

The research focused on phishing awareness, but the responses also point to a wider challenge for managers trying to enforce security policies in hybrid and mobile working environments. Using public networks and mixing personal and work activity on the same device can create extra routes for compromise.

Expert view

Dr John Kingston, Senior Lecturer in Cyber Security in the Department of Computer Science at Nottingham Trent University and a contributor to the report, said: "Education takes time to be fully effective, so attackers can often outflank organisations that are trying to protect themselves. But that only reinforces how important it is to train staff properly. Organisations cannot afford to stand still. Technology and cyber threats are evolving too quickly.

"Delivering regular, in-depth training that reflects real-life scenarios is the best way for organisations to stay agile. Cybersecurity has to be an ongoing, high-priority concern from top to bottom, not to stoke fear, but to build healthy, rational vigilance among staff."

Chaqiri also argued that standard annual training sessions may no longer be enough for workers facing changing risks across different roles. She said more frequent, tailored approaches could help staff recognise suspicious activity in day-to-day work.

"Compliance training has to evolve beyond one-off, yearly or generic sessions that don't reflect the reality public sector workers are facing today. Just because it is serious does not mean it has to be dry. Quizzes, phishing simulations and instant feedback are more engaging and help people stay up to date.

"Personalised training is also valuable because risks vary according to an individual's role. Someone on the front line in admin or customer service may face different challenges from line managers, so sessions should be relevant and matched to their capabilities," Chaqiri said.

Separate Skillcast research indicates that the public sector compares relatively well with some other industries on certain measures. The sector was the only one to record a decline in the number of attacks reported to the Information Commissioner's Office over two years and also had the lowest phishing click rates.

Even so, the latest survey suggests that staff confidence does not always match recent preparation, with more than a quarter of respondents saying they had not received effective cybersecurity training in the past 12 months or at all.