It may seem like just a technical issue for IT departments, but cyber security is crucial to the functioning of local authorities and the services they provide to residents.
Over recent years, there has been an increase in the number of cyber attacks targeting councils, as they all possess information – for example, financial, personal – or infrastructure of interest to malicious actors.
The impact of those attacks can be devastating – costing millions of pounds to put right, and causing significant disruption to services, with many of these needing to be rebuilt in their entirety.
If a cyber attack does occur, your council may be subject to both legal and regulatory consequences. Residents may suffer through service disruption, or consequentially thorough data breach.
While cyber threats cannot be completely eradicated, the risks can be significantly minimised – and good scrutiny is one way to do this, according to new guidance from the Centre for Governance and Scrutiny (CfGS), commissioned by the LGA.
“While cyber threats cannot be completely eradicated, the risks can be significantly minimised”
It found that scrutiny can bring about positive change by identifying any gaps and vulnerabilities in your council’s current cyber security framework, policies, and procedures.
Helpfully, members of the scrutiny committee need not be IT experts – albeit an awareness of some introductory technical information may give councillors confidence to engage with the wider topic in a more proactive way. They will, however, need to recognise the importance of cyber security in terms of its pervasiveness throughout the council’s departments and infrastructure.
In doing so, they will be able to subject their council’s plans to challenge and take action to promote changes of behaviour on cyber security within the organisation.
Because of the ever-changing nature of cyber threats, the scrutiny function ought to be both proactive and reactive on the matter of cyber security, the guidance suggests.
Scrutiny committees should operate on the basis that there is potential for an attack to impact on their organisation.
They should probe leadership, relevant officers, and the executive on what current preventative measures are in place, how these manage the risk, and whether they are reviewed regularly for efficacy as threats evolve and circumstances change.
Following an incident, scrutiny committees should consider what lessons can be learned from it and the organisation’s response, seeking assurance that risk of recurrence and associated impacts are minimised, and identifying future risks and vulnerabilities.
The guidance suggests key issues for scrutiny committees to consider pertaining to cyber security include: leadership and governance; risk management, including identification of cyber threats; policy, process, and practice development; cultural change; proactivity; training; working with experts; people management; response and recovery planning; and supply chains.
In research for the guide, the CfGS found that while many councils had a digital strategy that included cyber security, most councils had not examined cyber security through scrutiny.
Buy-in to cyber security varies from council to council, with some scrutiny committees placing a great deal of focus on the matter and reviewing their framework and procedures regularly, while others have not looked at it at all.
Unsurprisingly, real-world experience of a cyber-attack has a transformative effect on councils, their members and colleagues, generating a longer-term increased interest and proclivity to undertake work on cyber security more widely.
Specifically, members from such organisations advised that scrutiny could add meaningful value and bring about positive change, according to CfGS.