Why councils should keep cyber security high up the agenda

Published in Transform Magazine on 10/02/22

While a recent study suggests the number of cyber attacks on local authorities needing to be reported to the Information Commissioner’s Office may have fallen in 2020 compared with 2019, the damage seen in recent successful attacks highlights how this issue needs to remain high on the agenda.

A report by managed security services company Redscan estimates that UK councils reported more than 700 data breaches to the Information Commissioner’s Office (ICO) in 2020, a 10 per cent decrease on the figure it collected the previous year. The same study found that at least ten councils reported a disruption to their operations due to a breach or ransomware, however 50 councils declined to provide this data under an exemption to the FOI Act, meaning the true figure could be higher.

The report, Disjointed and under-resourced: cyber security across UK councils, made a Freedom of Information (FOI) request to 398 borough, district, unitary and county councils to find out how many had reported a data breach to the Information Commissioner due to a cyber attack. It received responses from 265 (63 per cent) and extrapolated the findings across all 398 councils.

Of the ten councils disclosing disruption to their operations, Redscan said only Hackney Council and Redcar and Cleveland were in the public domain, both of which experienced far-reaching effects according to media reports. The attack on Redcar and Cleveland is believed to have cost £10.4m, with the Government contributing only £3.68m to the bill.

The report found a link between council size and the number of data breaches, suggesting that larger councils could be a more attractive target due to the greater amount of data they hold. It found county councils experienced far more breaches than their counterparts, with these organisations reporting 4.6 breaches on average to the ICO in 2020 compared with 1.77 breaches across all councils, while one city council reported 29 data breaches.

Colin Jupe, Director of Strategy at Assurity Systems, the UK and European distributor of zero- trust endpoint and server protection solution AppGuard, said councils are being directly targeted because of the sensitive data they hold. “Working from home has significantly increased security boundaries for IT departments at a time when they were already severely overstretched. The move to more connection in terms of smart cities comes at great benefit to citizens but adds significant security challenges,” he explained.

Ian McCormack, Deputy Director for Digital Government at the National Cyber Security Centre (NCSC), said the cyber security landscape was always evolving, with the threats including ransomware and phishing. “We know local authorities can seem like attractive targets to cyber attackers because of the data they hold. Attacks can have profound and far-reaching consequences, so it is vital for cyber security to be treated as a priority so services can continue running smoothly. Over the past year ransomware has grown as the top cyber threat for UK organisations, and the impact of attacks can be very severe, affecting key services, finances and public trust,” he said.

Jupe also believes the rise in supply chain attacks is becoming more of a concern. “The increased risk for councils is made worse through the digital transformation that is taking place around the country, threat actors know that if they exploit the weakest link in any digital chain then they can move laterally across organisations and through organisations. Standard security protection is no longer enough once attackers have penetrated your supply chain, a new zero-trust approach is required.”

McCormack agrees that the supply chain is an important consideration. “Looking ahead, as technology becomes more integral to how services are delivered at a local level, it is crucial local authorities ensure that systems and services are built to be cyber resilient, and this includes building security throughout the supply chain. As we start to develop connected infrastructure and places, or smart cities, these must be secure by design. If a provider’s systems are breached in an incident, this could lead to your services and data you hold being impacted. As a first step therefore, it is crucial to understand what security risks exist in your supply chain.”

The NCSC has a wide range of resources available to assist local authorities with improving their cyber resilience and local authorities are encouraged to report any cyber attacks to the organisation too.

Jupe believes the NCSC guidelines are essential to help local authorities get themselves to a cyber resilient standard that will help them avoid disaster. “There is a minimum standard everyone has to get to so as not to have a disaster across the board and that is why the NCSC guidelines are excellent but you shouldn’t be complacent. Following the guidelines equates to good practice but it doesn’t mean you are fully protected. Whilst we don’t know for sure what protection Redcar and Cleveland had in place, for example, it has been published that they claim to have followed NCSC guidelines. This is a situation where even following best practice is good but not good enough and councils should continuously consider new technologies as part of their security in-depth approach” he adds.

While good cyber security protection combined with staff training will often be sufficient, and with traditional cyber defence systems picking up most attacks, it is the zero-day attack which is most dangerous, where the attack hasn’t been seen before – or it has and the system has not been patched.

Preparation and planning is vital regardless of the defences you choose to protect your organisation and McCormack advises practicing the response to a cyber incident. “At the NCSC we work closely with local authorities, government partners and key representative bodies in the sector to advise on good cyber security practice and bolstering resilience. It is vital local authorities make themselves a harder target by following our mitigation advice. In the first instance we urge them to make offline back-ups of the data they hold. Having an incident response plan already prepared – and available offline – is essential as it significantly helps organisations respond effectively by defining roles and necessary actions. If your organisation does not currently have a plan, we urge leaders to develop one,” he added.

Read the NCSC’s supply chain guidance here: Supply chain security guidance.

Read the NCSC guidelines on mitigating malware and ransomware attacks here: Mitigating malware and ransomware attacks.

Read the NCSC guidance on incident management: Incident management.

To find out more about AppGuard or to book a 1:1 demonstration contact: craig.white@iese.org.uk

aug21 blog

What is your biggest challenge right now?