UK councils must keep their systems and network infrastructures safe from harm at a time when cyberattacks are on the rise
Research indicates that threat actors have hit UK councils with up to 10,000 cyberattacks every day in 2022.
Indeed, a recent freedom of information (FoI) request from risk management firm Gallagher evaluated the scale of cybercrime against UK councils, with 161 local authorities sharing information. Gallagher argued that, based on the proportion of councils who shared data on cyberattacks, the size of the problem might well be significantly greater. Scaling up these figures to reflect response rates, the true number of attacks across all UK councils is estimated to be more than 11 million in 2022.
Certainly, COVID, and the hybrid working environment which has followed in its wake, has made councils more vulnerable to attacks, with local authority staff less able to maintain and patch council systems. Cyberhackers are seizing the opportunity to target vulnerable homeworkers with phishing attacks.
Data protection is key
One area where UK councils need to ensure they are laser-focused is around protecting the security of their data. In light of regulations such as GDPR, data privacy is an ever-present concern for councils who must ensure that they are protecting the wealth of personally identifiable information they have at their disposal.
Some councils that have had cybersecurity issues now seek to impose significant contractual obligations on providers around compliance with GDPR and other regulations. It is a constant battle because the legislation and associated requirements constantly change.
Moreover, councils’ on-premises solutions are often legacy systems – and security often has to be added incrementally, rather than being a foundational aspect of the design, as with cloud-native systems. Given all this, we are seeing growing numbers of local authorities assessing their system needs and looking to rationalise while ensuring a focus on systems and data security.
Finding a solution to help UK councils
Ultimately, any solution to these challenges has to come down to a combination of technology, people and processes.
Technology is key, of course. As soon as a council website goes down, residents can no longer apply for particular services, update their details or submit service requests. To address this challenge, UK councils are increasingly moving to a cloud-first policy for their systems. And security has to be baked into that cloud-first position.
The people element is also crucial. Security has to be everyone’s responsibility, and people are often even more important to the battle of maintaining security than the technology used to address cybersecurity. It’s all about training and ensuring that security awareness across the organisation is universally high, regardless of whether employees are working in the back office or increasingly mobile and remotely at home.
In terms of processes, the protection and management of data are fundamental. Encryption is essential to ensure the protection of data in storage and in transit. An example of the former requirement is the need to protect data created by residents adding information onto a web form, or an app, which is subsequently transferred into a council’s CRM system, or into the back-office system before being passed on to mobile workers.
Ensuring data is secure in transit matters too, particularly when it is sensitive personal or financial data, for example. All that has to be kept highly secure. That will typically involve encrypting the data and ensuring it aligns with the latest and highest standards. All stakeholders also need to be aware of, and on top of, the fact that these standards are not static but will evolve over time to meet the emerging threats and growing sophistication of cyberattacks.
Delivering on all this will require a potent mix of robust and resilient systems and processes with high-quality staff training and awareness to tackle them effectively. But it will also need the council to work with a software solutions provider, well-resourced and capable enough to deliver compliance and robust cybersecurity, not only today but also in the future.
Adopting a cloud-first approach
At the same time, of course, the modern systems these providers deliver can make recommendations, help with decision-making, and ensure that authorities are using all the available data from different sources to build strategic and tactical plans.
Adopting a cloud-first approach is also a crucial step towards both digital transformation and the implementation of better cybersecurity practices. Data entrusted to cloud service providers is highly likely to be safer than information stored in a computer’s hard drive.
The security measures undertaken by large providers like Amazon Web Services (AWS) and Microsoft Azure are demonstrably robust and powerful after significant investment. Cloud providers also conduct regular and consistent security updates, relieving public sector organisations and their security teams of concerns about updates while removing the need to employ an IT expert to constantly maintain their servers.
The cybersecurity and data privacy demands on local authorities are increasingly intense with the growing use of ‘Internet of Things’ (IoT) connected devices, ranging from smart street lighting and automated waste collection management to air quality monitoring. Ensuring an authority has robust technology and the experienced providers to deliver it is only set to become even more critical.
Written by Andy Peart, Marketing, Causeway Technologies