Local councils face a growing threat of a cyberattack. Between September 2020 and August 2021, 40% of cyber-attacks were aimed at the public sector, according to the National Cyber Security Centre which responded to 777 cyber-attacks during this period.
Behind the figures lies devastating impacts on cash-strapped local councils. Redcar and Cleveland Borough Council faced £10m of costs following a 2020 ransomware attack, Hackney Council had data published online by criminals, and last year Gloucester County Council fell victim to Russian hackers, a problem that persists today, with the council unable to receive emails from their City counterparts.
In response, the UK Government is investing £37.8 million of additional funding to tackle cyber security challenges facing local councils to protect vital services and data, alongside targeted investment in essential government departments. As part of this investment, the Government is encouraging organisations to improve their internal cyber security, including a ‘Mail Check’ procedure to help organisations assess their email security compliance and adopt secure email standards.
It is hoped these guidelines will help prevent accidents experienced by several councils when sending email. Examples include Tower Hamlets who unwittingly exposed thousands of constituent email addresses, and Havering Council who accidently leaked over 2000 email addresses in 2015, breaching the Data Protection Act. Similarly, Cheshire West and Cheshire Council leaked 1,300 private email addresses this year when, as with the incident at Tower Hamlets, an employee failed to use the BCC function when delivering a mass email.
The takeaway here is that inbound threats aren’t the only cause for concern. In fact, 62% of employees admit to making an email error, whether by sending the wrong email attachment, accidentally using ‘reply all’, or mistakenly including the wrong recipient. And although external cyber threats capture the imagination and the headlines, basic email mistakes committed in-house remain the leading cause of data incidents today according to the ICO.
Here are my tips on how to make your local authority more cyber secure:
1. Beware basic mistakes
The ICO’s recent data security incident trends report shows that unintentional data disclosures most commonly originate from accidents such as a misaddressed or misdirected email. These incidents usually happen due to the auto-complete feature of email addresses, a lack of encryption devices on PDFs and file attachments, and human error, which can be compounded by remote working.
Today many of us use Microsoft Office (O365) which is incapable of analysing or storing the relationship between email content and recipient; or providing a warning to encrypt sensitive data. Without the functionality to prevent misaddressed emails or implement the appropriate protection, data is at risk.
Of equal importance is instilling good security procedures for your staff. Do not assume they know the basics. Make sure they understand the difference between CC and BCC, and encourage them to double check, and check again the emails they are sending. If they are unsure about sending or opening an email, then encourage them not to do so. Prioritise security over expediency.
2. Prevent interception
To avoid email interception, ensure that attachments and data are encrypted during transit, and that the correct information reaches the intended destination. Many organisations will use STARTTLS, an email protocol command that tells an email server that an email client wants to turn an existing insecure connection into a secure one. However, even if STARTTLS is used, it is not considered to be the most secure preventative security measure. Despite its use in 2020, 12% of emails were still delivered unencrypted. Interceptions such as man-in-the-middle attacks can often be overlooked. In these types of attacks, threat actors exploit vulnerabilities during the transit to the recipient. This attack can only be mitigated by using DNS-based Authentication of Named Entities (DANE). Although O365 has recently deployed its support of DANE, it still misses the fallback of encryption when STARTTLS is unavailable, and does not have plans to integrate this highly requested feature.
3. Implement zero-access to vendors and third parties
No one should have access to data that isn’t intended for them, including vendors. While organizations must deal with vendors or third parties, this does leave data vulnerable to employee threats, inbound attacks, and even subject to government access requests. This is because third parties often possess encryption keys (a copy or derivative) that provides the government with the option to access data upon request. Unfortunately, this makes Microsoft an attractive hub for hackers and insider threats. Using alternative software providers that do not keep encryption keys can negate this issue.
4. Use recipient authentication
Two-factor authentication(2fa) is one of the most essential security measures used today. The two-step verification approach prevents unauthorised access to your data. In the event that you have a weak password, hackers would also need access to a second verification method, such as a code or biometric feature (i.e. a fingerprint or facial scan) to gain access – both of which are very difficult to retrieve.
Although O365 offers some preventative measures, 2fa recipient authentication isn’t one of them. Without two factor authentication, guest recipients’ mailboxes are reliant on one factor authentication making them vulnerable to phishing attacks. The take away? Always use multifactor authentication to access your systems.
5. Limit and understand the impact of a mistake
Even with highly accurate and advanced Data Loss Prevention (DLP) systems, mistakes are inevitable. The step thereafter is to limit their impact with remedies such as email recall and the ability to assess and control the impact of the information leak. This includes ascertaining whether the recipient has accessed the message and/or attachment. In O365, keep in mind that email recall only works for recipients who did not receive the email in Outlook Desktop and Office365, which makes limiting an incident particularly difficult.
6. Large file support
It is becoming increasingly common amongst users to share files or folders with sensitive data over email. Sensitive files must be protected, so it is important to utilise software packages that support encrypted file sharing over 30 megabytes. This will discourage employees from sending sensitive files unencrypted, which are vulnerable to cyber-attack.
7. Create a more secure guest recipient experience
Internal communications are often protected, but external contractors or guest recipients who do not share the same system can have limited account creation, message operations, and message initiation options. This forces guests to create an account, potentially resulting in weak passwords. If an account isn’t created, guests or contractors may not be able to onboard as effectively. Choose a software package that empowers guests to create their own account, download a message or send a copy to their inbox, or lets a third party initiate a message within an organisation. This can lead to higher email opening rates, responses and more security when sending emails.
So, what now?
Keep in mind that your email and online security is only as good as the people implementing it. That’s why ongoing, organisation-wide security training, and persistently instilling good email practice, is essential in supporting your cyber security, particularly as your team may be overstretched, working remotely, new to the job, or are contractors. That is why safety must be a priority over expediency. An email can be delivered in seconds; there is no need to rush it.
Implementing smart email security solutions to empower employees can prevent internal and external cyber threats. Secure large file transfer capabilities, advanced encryption, seamless integration to mailboxes, and instant recall are just a few solutions organisations can use to safeguard their digital communications. By making digital security effortless for people, security best practice becomes a lifestyle for every employee, not just a culture.
Rick Goud is CIO and co-founder of Zivver.
