Managing cyber security risks

Cyber criminals will continue to attack councils and the vital public services they deliver.

The COVID-19 pandemic has led to drastic increases in remote working arrangements, major IT changes and further accelerated digital transformation, which councillors have embraced and championed across the country. 

However, this shift from business as usual has resulted in an increase in the number of cyber security vulnerabilities for councils. 

There is also an increased threat to councils due to a range of malicious cyber criminals looking to exploit the opportunity to generate money and cause disruption, which means that councils are more likely to be the victim of a successful attack. This was confirmed in a recent report from the National Cyber Security Centre (NCSC).

Cyber security is not a very accessible term and many of us tend to switch off when it’s mentioned. However, for local authorities, the impact of a cyber incident is very real, with attacks growing in number and sophistication.

A recent, successful attack on a small borough council led to the complete loss of all key IT systems, all network services and almost all IT equipment (laptops, mobile devices), with £2.5 million spent on recovery so far.

Local authorities will likely continue to be an attractive target because of the data they hold and their links with government and the NHS. 

Therefore, there has never been a better time to understand and manage the risks. In doing so, we are more likely to protect key services, and be able to respond and recover more quickly when an incident occurs. Essentially, for councils, cyber security is about protecting the critical public services delivered for some of the most vulnerable in society. 

In 2018, the LGA was awarded three years of funding from the National Cyber Security Programme to work with English local authorities to improve their cyber security, and similar work is going on in Wales, funded by the Welsh Government and facilitated by the Welsh LGA.

The programme provides support to councils to improve their cyber security. It focuses on delivering sustainable cultural change within councils that both directly improves cyber security and indirectly leads to members and officers viewing it with increased importance. 

So far, the programme has delivered four phases of grant funding, totalling £3.2 million, and has worked with 90 per cent of councils. The funding has been targeted towards improving leadership, governance and awareness; most recently, we funded more than 80 per cent of councils to gain key cyber security qualifications.

But there are things we can do as individuals to better protect ourselves, and questions we can ask, as elected representatives, to ensure our councils are digitally secure for the communities we serve (see box, below). The role of community leadership should not be undervalued here. 

Reducing the risks

When it comes to cyber security:

  • educate yourself – specific training for councillors is available
  • use strong passwords – see www.ncsc.gov.uk/ for advice
  • report suspicious emails, websites and links to the NCSC via report@phishing.gov.uk, then delete them, and don’t click on links.

Ask your officers:

  • for regular cyber security updates – including on threats, incidents and near misses
  • for sight of response, recovery and continuity plans – and volunteer to take part in tests of these plans 
  • how the council is protected against ransomware 
  • how officers back up council data – are there secure offline back-ups?
  • about the council’s use of free NCSC services. 

If you have any questions about cyber security, please email our team at cybersecurity@local.gov.uk.

Previous

Reflecting on recovery and renewal

What next for rough sleepers?

Next