Rick Goud, CIO and Founder at Zivver discusses how local authorities can improve their cyber resilience.
Local councils in the UK are continuously failing to grapple with the growing threat posed by cybercriminals targeting their ill-equipped digital defences.
According to the ICO (Information Commissioner’s Office), cyber-attacks on local authority increased by 24% between 2022 and 2023, with personal data breaches skyrocketing by 58% in the same period.
According to one study, 161 councils were hit by over 2.3 million cyber-attacks in 2022 alone, with three-quarters of incidents arising due to phishing scams.
In a recent UK-wide survey of senior council leaders, nearly two-third of respondents acknowledged that their approach to cybersecurity was “outdated,” with over a quarter reporting a failure to make any progress.
Cyber-threats strike the very hearts of communities, causing essential services to go offline and disrupting fundamental social functions.
The Local Government Association (LGA) and tech giants such as Microsoft have acknowledged the scale of the problem, carrying out thorough assessments to understand how security standards can be improved and which preventative tools should be deployed.
Councils are finding it increasingly challenging to detect social engineering and email phishing scams, in which fraudsters pose as legitimate contacts to obtain sensitive information from employees.
This can be partially attributed to insufficient employee awareness, training and effective phishing countermeasures but also stems from the emergence of generative AI and the heightened sophistication of attacks.
One incident seen at Leicester City Council took phone lines and IT systems offline for days while it dealt with the repercussions of a security breach.
Meanwhile, Kent City Council was successfully targeted by hackers 13 different times in the last three years, resulting in 2,452 personal details being compromised and more than £16,000 being paid in compensation for data breach claims.
This further highlights the extensive financial and reputational damage a breach can cause is the 2020 ransomware attack on Hackney Council. With £12 million worth of damages, this incident stresses the burden placed on taxpayers by councils failing to improve cyber resilience.
Local councils must navigate a complex cybersecurity landscape, marked by the dual challenges of managing highly sensitive personal data and maintaining the unwavering trust of the public.
The nature of their services requires access to and protection of extensive amounts of confidential information, from personal resident details to financial records, making them prime targets for cyber attacks.
Compounding these challenges are often outdated IT systems and constrained budgets dedicated to cybersecurity efforts.
One publication refers to UK councils being stuck in an “IT time warp”, grappling with legacy architecture or even paper-based systems to deal with citizen requests.
Many local authorities find themselves wrestling with the need to modernise their digital infrastructure while simultaneously guarding against an ever-evolving array of cyber threats.
This delicate balancing act underscores the pressing need for strategic investments in cybersecurity measures that can effectively protect against both current and future risks.
The human element remains a critical vulnerability in cybersecurity, often cited as the weakest link in even the most robust security frameworks.
A recent example includes the Channel Islands when the States of Guernsey reported that a civil servant had unwittingly sent a customer the health debt records of more than 5000 citizens.
Unfortunately, these examples of human error are part of an overall trend, as an estimated 95% of cyber attacks succeed because of human error.
Humans will always be fallible and prone to error, but there are ways to mitigate the risk of human mistakes and safeguard data.
Effective communication on the importance of secure practices, alongside regular training on the latest cyber threats and safe data handling protocols, plays a pivotal role in enhancing an organisation’s overall cybersecurity posture.
Beyond that, deploying technological solutions such as multi-factor authentication (MFA) to verify users, zero-key architecture which automatically encrypts sensitive emails so that they can only be read by their intended recipient and advanced phishing filters, can all make a difference to the level of risk employees are exposed to.
The Leicester City Council incident stresses the importance of rapid response and effective communication following a breach.
The council’s decision to shut down IT systems to contain the threat serves as a case study in taking decisive action to mitigate further risk.
Their collaboration with cybersecurity, law enforcement, and other councils highlights the value of shared knowledge and resources in responding to cyber incidents.
Adopting basic yet effective cybersecurity measures can significantly bolster the defences of local councils against cyber threats.
Regular software updates, the implementation of multi-factor authentication, and the utilisation of encrypted communications are foundational steps that can prevent unauthorised access and secure sensitive data.
These practices, along with a proactive approach to cybersecurity, ensure that councils are not only protecting their current systems but are also laying the groundwork for a more secure and resilient digital infrastructure.