Cyber Security · 26 June 2026

UK Cultural Institutions Fail Cybersecurity Standards According to Public Accounts Committee Warning

By Markelly AI · 26 June 2026

The United Kingdom national museums and galleries have failed to heed the lessons of high-profile cyber attacks and remain highly vulnerable, according to a stern warning from the Public Accounts Committee. The Public Accounts Committee is calling on DCMS to do more to help these institutions strengthen their defenses against increasingly sophisticated cyber threats that could potentially compromise priceless cultural assets and visitor data.

Growing Concerns Over Museum Security Posture

The warning from the Public Accounts Committee comes at a critical time when cultural institutions across the country are facing mounting pressure to digitize their collections and improve visitor experiences through technology. However, this digital transformation has also expanded the attack surface for cybercriminals who see these organizations as potentially soft targets. Museums and galleries hold vast amounts of sensitive information including visitor databases, donor records, financial systems, and increasingly valuable digital collections that could be exploited or held for ransom.

Lessons from Recent Attacks Ignored

The committee has expressed particular concern that despite witnessing numerous high-profile cyber incidents affecting other organizations across both public and private sectors, many cultural institutions have not taken adequate steps to protect themselves. These institutions often operate with limited budgets and may lack dedicated cybersecurity staff or expertise, leaving them vulnerable to attacks ranging from ransomware to data breaches. The failure to implement basic security measures or develop robust incident response plans has left many of these national treasures exposed to potential digital catastrophe.

DCMS Called Upon to Act

The Department for Digital, Culture, Media and Sport now faces calls to provide stronger guidance, resources, and support to help museums and galleries improve their cybersecurity posture. This could include developing sector-specific frameworks, providing funding for security improvements, and facilitating knowledge sharing between institutions. The cultural sector plays a vital role in preserving national heritage and educating the public, making the protection of these institutions a matter of national importance that extends beyond simple data protection.

Wider Implications for UK Public Sector

The vulnerability of cultural institutions is not an isolated problem but rather reflects broader challenges facing the UK public sector when it comes to cybersecurity. Many government-funded organizations struggle with aging IT infrastructure, limited budgets for technology improvements, and difficulty attracting and retaining skilled cybersecurity professionals in a competitive market. The findings highlight the need for a coordinated national approach to protecting public sector organizations from cyber threats that continue to evolve in sophistication and scale.

Digital Transformation Creates New Risks

As museums and galleries work to remain relevant in an increasingly digital world, they have embraced technologies such as online ticketing systems, virtual tours, digital archives, and interactive exhibitions. While these innovations enhance accessibility and engagement, they also create new potential entry points for attackers. Legacy systems that were never designed with modern security threats in mind now sit alongside newer technologies, creating complex hybrid environments that are challenging to secure effectively without significant investment and expertise.

Protecting Cultural Heritage in Cyber Age

The stakes are particularly high for cultural institutions because they hold irreplaceable items of national and international significance. While physical security has always been a priority for museums protecting valuable artifacts, the digital realm presents new challenges. A successful cyberattack could result in the theft of sensitive research, manipulation of digital records, disruption of operations, or damage to reputation that could impact visitor numbers and funding. Some institutions also manage extensive research databases and scholarly resources that would be difficult or impossible to recover if compromised.

Budget Constraints Hamper Security Efforts

Many cultural institutions operate on tight budgets where funding decisions often prioritize conservation, exhibitions, and public programming over IT infrastructure and security. This creates a difficult situation where the importance of cybersecurity is recognized but adequate resources cannot be allocated to address known vulnerabilities. The committee has stressed that without additional support and guidance from central government, individual institutions will continue to struggle to meet the cybersecurity standards necessary to protect their assets and fulfill their public mission safely in the digital age.

Call for Sector-Wide Improvement

Moving forward, the Public Accounts Committee expects to see tangible improvements in how cultural institutions approach cybersecurity. This includes not just implementing technical controls but also building organizational cultures that prioritize security awareness among staff at all levels. Regular security assessments, staff training programs, incident response drills, and collaboration with cybersecurity experts should become standard practice across the sector. The warning serves as a wake-up call that the time for complacency has passed and that protecting the nation cultural heritage requires urgent action on the digital security front.