Councils Face Double Deadly Virus Threat

The public sector was at high risk from cyber attacks before Covid-19. But now, with whole workforces working from home, experts warn the likelihood of a successful attack is greater with potentially devastating consequences.

Implementing gold standard security solutions may not be practical or affordable short term, but there are a number of actions that could and should be taken right now

Local councils faced as many as 263 million cyber attacks in the first half of 2019, averaging 800 attacks every hour, according to freedom of information requests made by insurance broking firm Gallagher. Most are thwarted but a successful attack, which can occur from a new unblocked threat or because anti-virus protection is outdated, can have far-reaching consequences for employees, service users and budgets.

Ransomware continues to be a huge threat, with a successful attack able to scramble and encrypt key files and spread across a whole infrastructure in minutes. The number of avenues cyber criminals can target to activate these attacks has rocketed with entire workforces now linking into company systems on potentially unsecure and unprotected devices.

David Woodfine, partner at cyber security company Assurity Cyber Associates (ACA), warned that there had been a 500 per cent increase in the number of phishing emails since the pandemic began and an increase in smishing (text messages) and vishing (voice calls) too.

The National Cyber Security Centre has warned it is seeing a growing use of Covid-19 related themes by malicious cyber actors, while INTERPOL issued a notice to 194 member countries warning it had detected a significant increase in the number of attempted ransomware attacks against key organisations and infrastructure engaged in the Covid-19 response.

It said the ransomware seemed to be spreading primarily through emails, often falsely appearing to be from a government agency regarding the Coronavirus.

“The cyber attacker has realised that people are very scared and is using Covid-19 phishing emails to get us to interact,” says Woodfine. Typical attacks include: trying to get an individual to divulge username and password directly, getting a user to click on a malicious link, open a malicious document or visit a malicious website and tricking an individual into providing financial details or paying an invoice.

While ransomware remains one of the biggest risks, there are other types of malicious software designed to do harm. One clicked link or opened file, for example, can lead to an attacker downloading software known as a key logger onto an individual’s device. This can then capture key strokes as an individual inputs a user name and password, giving the attacker access to the organisation’s network.

Two weeks into the lockdown there were news reports that Rotherham Council’s IT system had been compromised by an employee accidently clicking on a spam email with “COVID-19” in the subject field, although the council said no data or information was compromised and the issue was quickly resolved.

Kevin Borley, also a partner at ACA described the situation as “a perfect storm”. “We have massively increased risk, huge vulnerability and reduced ability to respond as we would otherwise do,” he says.

Borley advised that local authority leaders and IT departments should adopt the mindset that they will be attacked. “The public sector is always at the bottom end of the scale in terms of investment in infrastructure and technology, always having to make do and mend and do more with less.

There is an inherent issue in terms of realistically what they can do, how close they can get to best practice and how close they can get to being ahead of an issue. They need to take a perspective that they will be hit and invest in technology that won’t allow ransomware and malware through. A sophisticated attack could wipe out everything, including the backup infrastructure.”

And while we might have an image of a lone figure in his or her bedroom launching these attacks, Woodfine and Borley describe a much more organised enterprise. “Anyone with bad intent can buy a ransomware attack with a target in mind, have it tested by a customer support group and then have a post-attack review. This is a highly commercialised industry, this is not kids in their bedroom, this is big business,” says Borley.

While it sounds like a no-win situation, there are steps local authorities and the public sector as a whole should and can take as a matter of urgency to minimise their risks.

With limited budgets, it pays to remember employees are the first line of defence. The best place to start is end-point protection (over and above anti-virus software) using technology that deals with zero-day threats, followed by e-learning about cyber safety and ongoing communication of articles, facts, figures and blogs. It is also important to check employees have device encryption enabled and are working with secure connections.

Ensure employees who suspect they have been subject to phishing, vishing or smishing, or have any other sign that their system is compromised, know who to contact immediately. Check that they are being vigilant for suspicious requests and ask them to double check anything that raises suspicions with other colleagues or a line manager.

Other good advice includes:

• Don’t rely solely on email for communication, use phone calls and video conferencing as well.
• Do not give anyone your password or username at any time.
• Regularly change home router admin logins and wi-fi password to something complex and strong.
• Change home router names.
• Set up a guest network for home devices to keep work networks separate if home networks are hacked.
• Log in as an admin regularly to check how many devices are connected to the home wi-fi network and which devices they are.
• If attacked councils should report to the National Cyber Crime Unit or local Cyber Crime Units.

According to research, 70 per cent of all security breaches occur at end points (computers) so ensuring employees home devices and networks are secure is key. iESE has partnered with ACA to offer a trial of unique and patented anti-malware technology. “This is an alternative solution to anything else available at the moment.

It is fundamentally different to what has been in place for the last ten to 15 years at end-point PC level and is guaranteed to stop ransomware attacks in particular,” says Borley. Unlike older technologies that rely on learning from previous attacks this technology operates at a behavioural level and won’t let bad programmes execute. “With this technology in place, even if it was a zero-day attack, it would cut off the device from the network meaning a virus can’t spread,” adds Woodfine.

Dr Andrew Larner at iESE said the technology had been tested by replicating a number of serious threats, including the WannaCry cyber attack that successfully hit the NHS costing £92m. “We ran the trial once and watched WannaCry take over the network within seconds and deny access to all users. We then re-ran the trial using a version of the technology released before WannaCry was created. The threat was identified and neutralised instantaneously.

“We are now setting up a trial of this technology with ten local authorities with a view to bringing it to our wider market. If you are interested in being a trial site let us know,” he added.

Find more information at: www.iese.org.uk/project/appguard/