Michael Burton 09 April 2018

Meeting the cyber security threat: are you ready?

Meeting the cyber security threat: are you ready? image

A quarter of local authority respondents have had a cyber security breach in the past year according to a survey by The MJ and BT which also found that most regard strong cyber security as a key part of their digital transformation strategy.

Looking at the results in detail, respondents are certainly aware of the risk of malware and ransomware which featured among their top five areas of cyber security threats.

They also named phishing attacks, accidental sharing of data in contravention of the Data Prevention Act and poor secure email.

One respondent referred to ‘the sheer weight of the number of threats being intercepted on a daily basis by the IT team.’

In the last 12 months 24% of respondents said they had suffered a cyber security breach with varying levels of damage. Some had successful ransomware defences, some had their IT teams working through the night to delete locked files and recover data from back-up and one said their council had three days of disruption of services.

Responses to such attacks were extra investment on staff training and security software and enhancement of firewalls. An overwhelming 82% of respondents expected the risk of attacks to increase over the next year, none expected them to decrease, and only 18% said the risk would stay the same. There was clear concern about the probability of a cyber-attack with almost a third on a scale of one to five (with five the highest probability) naming five and another 36% naming it as a three.

Almost 60% of respondents also agreed that the impact of a cyber-attack was potentially catastrophic while three-quarters named it as important compared to other risks.

Respondents regarded reputational damage arising from the impact of a cyber security breach as the biggest concern, followed by financial penalties, personal liability, disruption of service delivery and, loss of citizen confidence in online services and data loss.

Most respondents regarded strong cyber security as an important part of their organisation’s digital transformation strategy, with 57% naming it as a critical part. The question is how can councils mitigate the risk of cyber-attacks?

Overall, respondents felt that the two most critical ways of reducing the risks were the right security technology (73% of responses) and security awareness across all staff (77% responses).

Next in descending order were the skills and calibre of IT security staff, security governance processes, leadership from executives with responsibility for IT security, compliance with regulations, and lastly knowledge sharing with peers and partners.

Another key question is what stops an authority developing strong cyber security.

On a list of four issues, legacy systems was named as the top, followed by lack of cash for investment, lack of in-house knowledge and ‘other important priorities’.

Just over half of respondents (52%) expected their investment to increase over the next year while 33% said it would stay the same.

As to what level in the organisation cyber security is discussed, the IT department was named by 72% of respondents followed by the chief executive or corporate management team (named by 63%), then users (50%).

As for working with partners to create a cyber security strategy, 65% said they were already working with security vendors or consultants, 55% were working with other public sector organisations, 39% with law enforcement/regulatory agencies and 41% with the National Cyber Security Centre.

In conclusion, our survey confirms the risks of cyber-attack and importance of addressing the threat – but will pressures on budgets and the growing demand for services allow councils to commit sufficient resources and develop the necessary skills to combat an escalating threat, particularly with the additional need to meet the requirements of General Data Protection Regulation?

Councils and the new legislation:

Councils are aware of General Data Protection Regulation (GDPR) but there is still some way to go before everyone will be ready to meet all of their obligations

The survey also asked about the new GDPR coming into force in May. Some 82% of respondents said they were aware of this, though a surprising 18% admitted they were not.

Most respondents said they were prepared for the new regulation by having a data protection officer in place. But fewer are ready to meet other requirements such as: the right to be forgotten (18%); cleansing of legacy data (13%); tighter consent processes (23%).

Respondents thought that the new regulation would be ‘challenging,’ ‘reduce the amount of information that is stored and shared’ and is ‘significant like the arrival of Freedom of Information again.’ On the positive side, respondents said it would strengthen information governance. Respondents also raised concerns about the increased need for resources, increased administrative complexity, and the potential for non-compliance fines.

The key findings of the survey were:

• Cyber security and the threat of cyber-attack is seen as critical by local authorities.
• The threat of cyber-attack is a clear and present danger for local councils today and it is on the rise.
• The right security technology and staff awareness are seen as the two most important ways to reduce the risk of cyber-attack.
• Legacy systems and a lack of money to invest are hampering efforts to reduce the risk of cyber-attacks.
• Lack of in-house skills and knowledge is another barrier and many local councils are working or would consider working with others to combat the threat.

BT’s top cyber security experts, Mike Pannell and Neil Mellor, comment on the findings here.

Redefining what good looks like image

Redefining what good looks like

Impower’s annual top 10 list is a celebration of strong council performance, and as Jon Ainger explains, many local authorities have stepped up to the challenge.
For your free daily news bulletin
Highways jobs

Education, Health and Care (EHC) Co-ordinators

Buckinghamshire Council
£30,874 - £37,188 per annum
Interested in a career as an EHC Coordinator? Come along to our drop-in event to meet members of the SEND team and find out more about the role! England, Buckinghamshire, Aylesbury
Recuriter: Buckinghamshire Council

Principal Engineer (Highways Operations)

Kirklees Metropolitan Council
£30,507 - £38,813
Are you looking for an opportunity to work as a Principal Engineer, whilst still being able to develop your career and have a good work-life balance? Kirklees, West Yorkshire
Recuriter: Kirklees Metropolitan Council

Advanced Skills Worker - Longwood Place

Essex County Council
£26275 - £30300 per annum
This is a part time role for 21 hours a week.Essex County Council (ECC) is one of the largest and most dynamic local authorities in the UK, serving a England, Essex
Recuriter: Essex County Council

Principal Engineer (Highways Structures)

Kirklees Metropolitan Council
£30,507 - £38,813
Are you looking for an opportunity to work as a Principal Engineer, whilst still being able to develop your career and have a good work-life balance? Kirklees, West Yorkshire
Recuriter: Kirklees Metropolitan Council

Principal Engineer (Street Lighting)

Kirklees Metropolitan Council
£30,507 - £38,813
Are you looking for an opportunity to work as a Principal Engineer, whilst still being able to develop your career and have a good work-life balance? Kirklees, West Yorkshire
Recuriter: Kirklees Metropolitan Council

Local Government News

Latest issue - Local Goverrnemnt News

This issue of Local Government News explores how councils can tackle modern slavery and trafficking in their supply chains, finds out more about Cambridge's first cohousing scheme and the launch of a new project to build a shared service pattern library for local government.

This issue also contains a special focus on children's services and how councils are protecting children following local safeguarding children boards being abolished.

Register for your free magazine