17 May 2024

Business as Usual: Leicester council’s ‘streetlight’ cyber-attack

Business as Usual: Leicester council’s ‘streetlight’ cyber-attack image
Image: Thapana_Studio / Shutterstock.com.

Leicester City Council’s response to the ‘streetlight’ cyber-attack was an example of an effective business continuity plan, says Billy Ruston, Resilience Consultant, Protection Group International (PGI).

We know that local authorities are increasingly under threat from cybercriminals. According to the Information Commissioner’s Office (ICO), attacks on local authorities have increased 24% between 2022 and 2023. The data held by organisations in the public sector and the critical nature of the services they provide the public means that they are incredibly tempting targets for cybercriminals and bad state actors alike.

The attack on Leicester City Council, whilst described as highly sophisticated, seems typical of many of the attacks targeting local authorities. Before the Leicester attack, we saw councils in Kent hit by a number of cyber-attacks at the beginning of 2024, St Helen’s council was hit by a ransomware attack in August 2023 and several British regional councils were affected by the attack on supplier Capita which was also exposed in 2023.

It is clear then that councils are under threat, directly and via supply chain partners and the number of attacks and consequences of them mean that they are increasingly headline news. This has two impacts. It decreases public confidence in their local authorities (one of the key objectives of bad state actors) and also means that general assumptions are being made about the nature and consequences of the attacks.

Councils have statutory duties under the Civil Contingencies Act, 2004. One of the statutory duties of the Civil Contingencies Act is to put in place Business Continuity Management arrangements. However, councils should not only be implementing such procedures just because it is a part of the Act.

Business Continuity planning is a good idea for all organisations whether it is a legal requirement or not. Business Continuity ensures that an organisation’s critical activities can continue at predefined service levels and within acceptable timeframes following a business disruption, such as the cyber-attack that Leicester City Council suffered.

What we have seen with the Leicester case is the Business Continuity plan coming into action. Although the headlines focused on the negative point that streetlights remained on, it was actually a strategic decision on behalf of the Business Continuity team at the council.

For local authorities, it is not acceptable to stop providing services that ensure the health, safety and welfare of their residents. It would have become clear that if systems failed then it was preferable to have the streetlights remain constantly on, ensuring the safety of the public. It is a positive reflection on the Business Continuity plan in place rather than a negative impact of the cyber-attack which the headlines focus on.

There are multiple interrelated stages to consider when implementing a business continuity management system and developing plans and incident response processes. The planning process starts with an analysis to define critical activities and understand the threat landscape. The planning process ends with validation, testing that the Business Continuity plans are effective and align with business objectives, practising response processes with key stakeholders and identifying opportunities and areas for improvement.

The key to successful Business Continuity plans is that it is not regarded as a one-off exercise but needs to be continuously monitored and improved. The Leicester example shows how ongoing testing has allowed a local authority to ensure front-line services and the safety of the public are prioritised in the event of disruption. However, for other councils having the ability or in-house expertise to ensure that Business Continuity plans are implemented and regularly tested is beyond their means. Some are turning to consultancies that can provide the expertise and experience to help local authorities have some peace of mind and importantly roll-out plans if the worst happens.

SIGN UP
For your free daily news bulletin
Highways jobs

Residential Assistant

Essex County Council
£25081.00 - £25395.00 per annum
Residential AssistantPermanent, Full Time£25,081 up to £25,395 per annumLocation
Recuriter: Essex County Council

Senior Planning Officer

Durham County Council
Grade 11 £39,513 to £43,693 Grade 12 £42,708 to £46,731 per annum (Pay Award Pending)
Durham County Council is looking for experienced and knowledgeable Senior Planning Officers to join our vibrant Development Management team. Our team Durham
Recuriter: Durham County Council

Head of Service – Social Care

Wrexham County Borough Council
G15 £63,148 - £67,058 per annum
There is an exciting opportunity within Children Social Care to join the senior management team Wrexham (Wrecsam)
Recuriter: Wrexham County Borough Council

Head of Service Social Work & Specialist Support

Blackburn with Darwen Borough Council
Grade M scp 60 £72,118 - scp 64 £77,293
There couldn’t be a more exciting time to join us. Blackburn, Lancashire
Recuriter: Blackburn with Darwen Borough Council

Cafe Assistant - Weald Country Park

Essex County Council
Up to £13.3000 per hour
Café Assistant (Weald Country Park)Contract
Recuriter: Essex County Council
Linkedin Banner