Research suggesting UK local authorities are subject to 10,000 cyber-attacks every day is a sober reminder of the need for more than incessant vigilance. In fact, the figure could be even higher. Using freedom of information requests, risk management firm, Gallagher believes the true number of attacks across all councils to be more than 11 million in 2022.
These figures should catch the eye of anyone in local government who bears the burden of responsibility for maintaining the integrity of systems and data, along with regulatory compliance. Most should be aware that – among other factors - COVID and the adoption of hybrid working patterns have made councils more vulnerable to attack. On the one hand, it has become less easy to maintain and patch systems, while on the other, hackers target homeworking personnel with phishing attacks.
Data protection is key
One area where councils need to ensure they are laser-focused is around protecting the security of their data. With GDPR (General Data Protection Regulation) being a potent regulation, data privacy is an ever-present concern for councils. It is therefore imperative that they overcome all the security threats they face to ensure full protection for the wealth of personally identifiable information they hold.
Some councils that have run into cybersecurity difficulties have responded by imposing significant contractual obligations on providers around compliance with specific regulations. It is a rolling process because legislation and regulation constantly evolve.
Another problem councils face is that their on-premises solutions are often legacy ]systems – and security often has to be added incrementally, rather than being a foundational aspect of the design. In contrast, the major investment in security measures undertaken by large public cloud providers like Amazon Web Services (AWS) and Microsoft Azure has made their systems immensely robust and powerful. As a result, data entrusted to them is likely to be far safer than information stored on a local authority computer's hard drive.
Cloud providers also conduct regular security updates, eliminating many of the most immediate concerns of public sector organisations and their security teams. It may remove the need to employ an IT expert for incessant server-maintenance.
With fully-integrated cybersecurity, there are obvious practical benefits such as reducing the chances of a council website crashing, blocking residents from applying for services, or updating their details. Aware of these developments, increasing numbers of local authorities are reassessing what they require, looking to rationalise, while thinking very hard about systems and data security. Many can see that a cloud-first approach advances the organisation towards the twin goals of digital transformation and better cybersecurity practices.
People and processes
A cloud-first approach is important, but it must run alongside new answers to questions around people and processes.
The people element is utterly critical. Every employee must take responsibility for security. Most of this hinges on training and efforts to boost security awareness to universally high levels, irrespective of whether employees are working in the back-office, are out on assignments or working remotely from home.
In terms of processes, secure data-management is non-negotiable, with encryption necessary to protect data in storage and in transit. Protection of data in storage will include, for example, the information contributed by residents to a webform, or app before it is transferred into a council’s CRM or back-office systems, ready for access by mobile employees.
Organisations must be active in securing data when it is in transit too, because this often includes highly sensitive personal or financial data. Data-encryption must comply with the latest and highest standards. It is important for all involved to know they must adapt to standards that are not static but evolve as new threats emerge from increasingly sophisticated and professional hacking organisations.
Full delivery on all these fronts requires systems and processes from providers with solutions that are significantly resilient, alongside high-quality staff training and awareness. Local authorities need to seek out collaborations with software solutions-providers that are realistically capable of delivering compliance and robust cybersecurity into the future.
The advanced, cloud-based systems these providers deliver should be intelligent enough to make recommendations and assist with decision-making. They should enable authorities to use every useful piece of data available from different sources when it comes to creating strategic and tactical plans.
Positive prospects
Looking to the future local authorities look set to face ever-more intense cybersecurity and data privacy demands thanks to remote working and the growing use of Internet of Things devices, whether for smart street lighting, parking, waste collection, or air quality. These all generate data which must be protected and securely managed to prevent access or theft by bad actors. In light of all this, ensuring an authority has robust technology and the experienced providers to deliver it, are only set to become more critical.
Andy Peart, marketing, Causeway Technologies
