The Public Accounts Committee (PAC) published a damning report this week, finding that national museums and galleries across the UK are being left exposed to cyber attacks, physical theft, and financial instability, while the Department for Culture, Media and Sport (DCMS) takes a largely hands-off approach.
The report highlights a pattern that will be familiar to the security community: high-profile incidents, promises of lessons learned, and a conspicuous absence of concrete follow-through. The 2023 British Library ransomware attack knocked out services for months. The British Museum suffered high-profile thefts. And yet, when pressed by the Committee, DCMS could not point to specific actions taken across the sector in response to either incident.
PAC Chair Sir Geoffrey Clifton-Brown was unsparing: “Cyber-attacks, the theft of items from collections, and a fall in the number of visitors are just some of the issues museums and galleries are fighting to overcome. The lack of centralised support is leaving them vulnerable.”
“The government’s response was to facilitate lessons-learned sharing. That’s not a security strategy. That’s hoping the next institution pays attention.”
The security industry’s reaction to the report has been pointed. Two experts we spoke to raised questions not just about government strategy, but about the sector’s own security culture.
The British Library Attack Was a Watershed, So Why Is Nothing Different?
Graeme Stewart, Head of Public Sector, Check Point Software
Stewart argues that the 2023 British Library incident should have been a defining moment for the sector, but largely wasn’t.
“The PAC’s findings are a stark reminder that cyber threats don’t discriminate by sector, and that cultural institutions, often perceived as low-risk targets, can in fact be high-value ones,” he says. “The 2023 attack on the British Library was a watershed moment for the sector. It demonstrated that a ransomware incident can cripple operations, compromise data, and cause months of disruption, all while threatening the trust these institutions depend on. That the government has yet to translate the lessons of that incident into concrete, sector-wide protective action is deeply concerning.”
He points to a structural mismatch that makes museums and galleries harder to secure than a typical organisation: they combine standard digital vulnerabilities, network-connected systems, online ticketing, and third-party suppliers with unique physical security requirements and, frequently, limited in-house cyber expertise.
“What’s needed is exactly what the PAC is calling for: a strategic, proactive approach rather than the reactive posture we’ve seen to date. That means DCMS taking a genuine coordinating role, facilitating shared threat intelligence across institutions, establishing baseline cybersecurity standards, and ensuring that digital record-keeping of collections is both implemented and protected.”
“The sector cannot afford to wait for the next incident to act. These institutions are the cultural lifeblood of this country, and the long-term damage to the nation’s heritage, reputation, and public trust that could result from continued inaction would be far harder to recover from than any single attack.”
It’s a Security Culture Problem, Not Just a Budget Problem
Muhammad Yahya Patel, vCISO and Cybersecurity Advisor EMEA, Huntress
Patel is less sympathetic to the framing of constrained budgets as the primary obstacle, and places some responsibility directly on the institutions themselves.
“The evidence has been sitting in plain sight for years,” he says. “UK’s iconic cultural institutions suffered serious security incidents, and the government’s response was to facilitate lessons-learned sharing. That’s not a security strategy. That’s hoping the next institution pays attention.”
The more uncomfortable argument he makes is that framing this purely as a funding issue obscures a deeper problem. “The cultural sector has a security culture problem as much as a resource problem, and conflating the two lets institutions off the hook for the controls that are within their reach, regardless of budget.”
He also pushes back on the idea that museums and galleries are a special case. “The PAC report is specifically about museums and galleries, but the structural problem it describes is not unique to them. Public sector bodies operating with significant autonomy, legacy infrastructure, constrained budgets, and limited in-house security expertise are a common profile across UK public institutions.”
“The PAC is right that the current approach of sharing lessons after incidents occur is not a substitute for preventing them.”
The Financial Picture Makes This Harder
The cybersecurity gaps sit against a backdrop of real financial strain. DCMS provided 15 government-sponsored museums and galleries with £484 million in grant-in-aid funding in 2024-25, a real-terms reduction of 16% as emergency pandemic funding wound down. Energy and staffing costs have risen, and visitor numbers have not fully recovered.
Institutions have offset some of this through self-generated income, which reached £563 million in 2024-25, a 53% real-terms increase on 2021-22. But those revenue streams depend on operational continuity and public trust: exactly what a serious cyber incident puts at risk.
The PAC has asked DCMS to set out what concrete actions it and individual institutions have taken and are taking on cyber and physical security, and to establish clear metrics for assessing performance. It has also flagged concerns about trustee vacancy rates and senior leadership churn across the sector, both of which affect governance and financial oversight.
What the Security Industry Wants to See
Both experts broadly agree on what a proper response looks like: DCMS needs to move from facilitating post-incident reflection to driving proactive, sector-wide standards. That means baseline cybersecurity requirements, shared threat intelligence, coordinated support for institutions with limited in-house capability, and protections around the digitisation of collections.
The PAC’s report is an opportunity. Whether DCMS treats it as one remains to be seen.
