How local authorities can improve their cyber health

The cyber threat is no longer a new phenomenon, and awareness of the urgent need for effective cybersecurity is growing among businesses, organisations and individuals.

However, even though more organisations than ever are taking steps to better protect their systems, networks, data and users from hackers, cybercrime is still far too prevalent.

Just two years ago, a report found that a fifth of all public sector organisations reported falling victim to cyber-attack in the UK. More recent research estimates that around 11% of all cyber-attacks involve public sector organisations.

It has prompted the UK’s Government’s Local Digital Cyber team to develop a framework for public authorities to adopt to help improve their cybersecurity. The team, which sits in the UK Government’s Department for Levelling Up, Housing and Communities, was established to help public authorities improve their local digital services for users and taxpayers.

It’s framework followed a major survey of 237 local authorities across the UK, which identified several urgent issues which needed addressing.

The survey found that while many local authorities adopted cyber standards, there was no clear baseline – in other words, each authority seemed to be ‘doing its own thing’ rather than adhere to standard best practices.

It noted that an effective cyber baseline for local authorities was needed that encompasses culture, leadership and ‘cyber-first’ processes. Leadership support will be vital in embedding these standards and best practices across each organisation.

It also found that local authority leaders needed to better understand the cyber risk to inform their decisions and that legacy technology is a critical block to achieving better cyber health.

The research concluded that there is an opportunity for councils to collaborate to achieve greater security.

Why is cybersecurity important?

Cybersecurity is vital for all businesses and organisations, not just those operating in or serving the public sector.

It protects all categories of data from theft and damage, including customer data, employee records, personally identifiable information, protected health information, personal or financial information, intellectual property, information systems. In the UK public sector cyber security is particularly important as regards Critical National Infrastructure. Cybersecurity also helps keep an organisation’s software and applications, networks, servers, and users safe.

Without a robust cybersecurity strategy in place and the applications and technology to support it, an organisation cannot defend itself against data breaches, hackers and cybercriminals.

The risk is increasing, and the threat is continually evolving. Enhanced global connectivity and the use of cloud services like Amazon Web Services, to store sensitive data and personal information are driving the change. Poor configuration of cloud services coupled with increasingly sophisticated cybercrime techniques means the risk is very real. 

IT leaders can no longer solely rely on out-of-the-box cybersecurity solutions like firewalls or antivirus or antimalware software because cybercriminals are evolving their tactics to get through conventional cyber defences.

To combat this, organisations need to take a blended approach of utilising advanced and multi-layered cybersecurity solutions, better staff awareness and training and keeping up to date with the latest information on emerging threats and best practice.

Staying ahead of the evolving threat is also essential, and public sector organisations still have a way to go in this respect. Historically, security strategies focused on preventing hackers from getting in. Now, organisations must proactively attempt to control what those who are in the network are able to do, based on an analysis of their identities and actions. Artificial intelligence and machine learning should also be utilised to detect active threats across multiple systems and users.



What cybersecurity issues are affecting local councils?

It is common knowledge that many UK public sector organisations have been behind the 8-ball for a long time on cybersecurity and digital adoption compared to their private-sector counterparts.

With local authority IT departments overstretched and under-resourced, investing in modern digital technologies has often been viewed as an afterthought.

However, the global COVID-19 pandemic highlighted the critical role that public services play and exposed how vulnerable many of them are to cybercrime.

The WannaCry attack on the Irish health service is one of the most high-profile cybersecurity incidents in recent memory, but more minor incidents, such as MPs using personal email accounts for Government business, and schools receiving laptops with malware on them, shows that cybersecurity needs to be taken more seriously at all levels of the public sector.

So, organisations need to act quickly to implement the strategies and technologies that will enable them to protect their networks, data, employees and service users.



What steps do councils need to take to improve their cybersecurity?

There is evidence of both good and bad cybersecurity practices across local authorities, and because these organisations vary in size, function and context, there is no single solution that could solve

the cyber risk problem at all local authorities.

However, once implemented, the Local Digital Cyber Team’s new framework will go a long way to helping local authorities adopt a common approach to cybersecurity, to achieve the following:

  • Mitigate exposure to risk
  • Protect systems, data and users from the threat of attack
  • Respond to cyber-attacks appropriately
  • Recovering quickly from a cyber-attack

There is a risk that all this effort will be seen as a box-ticking exercise by Government and the public sector, that won’t make any meaningful difference on the ground.

For many years, PSN compliance has driven ICT security in local government. However, more  recently, security has been driven by the GDPR, Cyber Essentials and the need to be seen to comply.

However, this creates huge issues for local authorities, because how do you force a council that’s struggling with a budget deficit to properly invest in its cybersecurity, rather than do it just to get a  tick in the box and meet an arbitrary target set by Government?

Cybersecurity is often viewed as a technical issue rather than a business issue, so it is often not seen as being everyone’s responsibility. It’s also made up of many interrelated aspects, and the potentially overwhelming amount of guidance and information out there often leads to confusion and a lack of clarity.

However, for public sector organisations looking to enhance their cyber health and build their resilience, they should take three things into consideration – people, processes, and technology.


🔷 People

The most significant risks to an organisation’s cybersecurity are often created by its employees. However, well-informed and adequately trained staff can be a crucial first line of defence against cyber-attack. So, equipping staff with a good level of knowledge about cybersecurity and potential threats is essential. So, too, is encouraging them to report incidents quickly and ensuring they adhere to best practice around the safe use of equipment, devices and software, to help your organisation create a robust cyberculture.   

One of the keys to solving the problem is having senior leaders within local authorities who are responsible for cybersecurity and information security, who actually understand what they are responsible for. These need a seat at the top table and enough authority to deliver on their responsibilities.

A recent trend across the public sector has been to reduce the seniority of the most senior ICT staff member from a director-level role to a head of department level role. This diminishes the responsibility and priority of ICT within an organisation and means there is no-one at senior executive level to ensure the right decisions are made or explain the consequences of making poor decisions. Ultimately, it’s the public who lose out by reduced service and increased cost of remediating issues which could have been avoided with the right people at the helm.


🔷 Processes

Your organisation’s processes are vital to implementing an effective cybersecurity strategy. Well-defined cybersecurity and access control policies are essential in detecting and preventing threats, addressing security vulnerabilities and mitigating risk.


🔷 Technology

If you’ve got the right policies and procedures in place, and your people know how to implement and follow them, then technology is the last piece of the cybersecurity jigsaw.

There’s a host of technologies available to enable public sector organisations to build a multi-layered cyber defence.

The key is to identify the most common risks your organisation faces and the controls that need to be implemented, before selecting the best technologies to support them.

While the public sector has made progress on the cybersecurity agenda, it’s clear there is still a long way to go.

However, things are moving slowly in the right direction, with public sector organisations gaining greater knowledge and understanding of the minimum levels of cybersecurity to reach, they can start to devise a path to build greater resilience.


If you enjoyed this blog and want to learn more about how we can help your organisation improve its cybersecurity, give us a call on 01332 322588. And if you would like to stay up to date with the latest news, views and insight on everything going on in the ICT and technology sector, subscribe to our FREE email newsletter.

Want to know more?

Why not contact us to arrange a FREE consultation to talk about your ICT needs and how they could best be met?