There is an urgent need to manage cyber risk to councils.
The COVID-19 crisis has been a catalyst for digital innovation within local government. However, this comes with an increased risk of cyber attacks – a risk that may cost councils millions of pounds and result in the sensitive data of our most vulnerable residents being sold on the dark web.
In light of this, the LGA has delivered security testing to a representative 10 per cent sample of local authorities, identified with the Society of Local Authority Chief Executives and the Society for Innovation, Technology and Modernisation.
This has helped us to better understand common vulnerabilities in councils, make operational recommendations, and come to strategic conclusions for local government leaders, which we are sharing to support the sector’s efforts in managing cyber risk.
For now, I would like to draw your attention to the seven strategic conclusions:
- People, process, technology – vulnerabilities stem from people and processes, as much as technology.
- Investment – underinvestment in any of the above comes at increasing cost and risk. New vulnerabilities arise, so ensure old vulnerabilities do not linger.
- Cyber leadership – decision makers and scrutiny bodies must have the cyber knowledge and understanding they need.
- Risk management – technology cannot be completely ‘de-risked’, but risks can be managed.
- Workforce – cyber security is a whole-workforce issue. Everyone must understand their role in protecting the organisation and residents.
- Readiness – expect a successful attack and to be impacted. Plan and exercise response and recovery.
- Prioritise cyber security-related change programmes – the impact of a successful attack on services will exceed the frictional impact of change.
There has never been a more urgent need to understand and manage cyber risk. In doing so, we are more likely to protect key services and vulnerable people, and respond and recover more quickly when an incident occurs.
Councillors have a hugely important role to play in showing political leadership and making the case for investment in this area.
Cyber security may feel like a technical subject; however, it doesn’t mean we can’t have useful conversations around how our councils are approaching and managing cyber risk.
Our ’10 questions a councillor could ask’ is a great place to start (see below, and bit.ly/30oRbcb).
10 questions to ask
- How does my council understand, assess, manage and remediate cyber risk, and what testing regimes, policies, processes and tools does it use?
- Do my council’s decision makers and scrutineers have the knowledge and information they need to make/scrutinise decisions relating to cyber risk?
- How do officers back up council data – is this secure, offline, and tested regularly?
- Are staff given training on their role in reducing cyber risk, and is cyber security understood as a whole-workforce issue?
- Do members receive regular cyber security updates – including on threats, incidents and near misses?
- How does my council use the National Cyber Security Centre’s tools and services?
- What are the response, recovery and continuity plans for cyber incidents, and are they exercised and tested?
- How would we deliver services if, following a cyber incident, we had no access to IT?
- What are we doing to understand and manage cyber security risk within the supply chain?
- How well connected is my council to others from which it may learn, or that may support it, in the event of an attack?