A new LGA case study chronicles how our council responded to, and recovered from, the attack – starting with the shocking discovery that we had been subjected to one, despite all the preparation and mitigations that had been put in place to prevent this from happening.
The case study draws out the experiences of key members of our staff, with the aim of providing an insight into what is involved in dealing with a major cyber incident. It also highlights the lessons that were learned from the attack, something we hope other councils can use to their benefit.
The initial attack came in the form of a single ‘spear-phishing’ email – a message modified to target a specific victim and that appears to be from a trusted source.
It was inserted into an existing email chain with a supplier, making it almost impossible to detect. Once in our system, the attackers spent about a month navigating our network before stealing data and encrypting our servers with ransomware.
Before the attack, our council had invested millions of pounds in cyber security, systems, training, and exercises, including some designed to help staff recognise spear-phishing emails. However, this did not prevent the attack from happening.
We have therefore taken a fresh look at these areas, in light of the incident, and identified a number of learning points, which we have acted upon.
In recognition of the difficulty of spotting a targeted and sophisticated spear-phishing incident, our council has enhanced our email security with new systems.
We have also introduced a managed security information and event management system, so that any suspicious activity is now monitored and responded to in real time.
To prevent attackers from moving from server to server if they got inside our council’s systems, network segmentation has been introduced that prevents and logs unusual traffic inside our network.
As our cloud-hosted services were not affected by the attack, we have moved around 70 per cent of our services to the cloud, and will continue to assess where the best hosting is for our remaining on-premises servers.
Having robust backups and understanding the restoration process is key to recovering from a cyber attack, and we carry out regular testing and reviews of our back-up processes and restoration procedures.
One of our main areas of learning was around the importance of having a specific cyber incident plan, incorporating a communications plan, rather than relying on more general business continuity plans or disaster recovery plans.
As the case study lays bare, the impact and duration of the attack and recovery was far more significant than the actions in the plans were intended for.
Our council now believes it is important to plan for the worst-case scenario and is aware that the emergency we are most likely to face is a cyber incident.
However, it was not something we were able to insure the council against specifically, as we were unable to access a suitable commercial policy.
Perhaps it is time that the sector explored alternative models to traditional insurance, such as pooling or mutualisation, which are being looked into by the LGA.
‘Gloucester City Council: managing a cyber attack’ can be downloaded for free on the LGA website.