Michael Burton 09 April 2018

Meeting the cyber security threat: are you ready?

Meeting the cyber security threat: are you ready? image

A quarter of local authority respondents have had a cyber security breach in the past year according to a survey by The MJ and BT which also found that most regard strong cyber security as a key part of their digital transformation strategy.

Looking at the results in detail, respondents are certainly aware of the risk of malware and ransomware which featured among their top five areas of cyber security threats.

They also named phishing attacks, accidental sharing of data in contravention of the Data Prevention Act and poor secure email.

One respondent referred to ‘the sheer weight of the number of threats being intercepted on a daily basis by the IT team.’

In the last 12 months 24% of respondents said they had suffered a cyber security breach with varying levels of damage. Some had successful ransomware defences, some had their IT teams working through the night to delete locked files and recover data from back-up and one said their council had three days of disruption of services.

Responses to such attacks were extra investment on staff training and security software and enhancement of firewalls. An overwhelming 82% of respondents expected the risk of attacks to increase over the next year, none expected them to decrease, and only 18% said the risk would stay the same. There was clear concern about the probability of a cyber-attack with almost a third on a scale of one to five (with five the highest probability) naming five and another 36% naming it as a three.

Almost 60% of respondents also agreed that the impact of a cyber-attack was potentially catastrophic while three-quarters named it as important compared to other risks.

Respondents regarded reputational damage arising from the impact of a cyber security breach as the biggest concern, followed by financial penalties, personal liability, disruption of service delivery and, loss of citizen confidence in online services and data loss.

Most respondents regarded strong cyber security as an important part of their organisation’s digital transformation strategy, with 57% naming it as a critical part. The question is how can councils mitigate the risk of cyber-attacks?

Overall, respondents felt that the two most critical ways of reducing the risks were the right security technology (73% of responses) and security awareness across all staff (77% responses).

Next in descending order were the skills and calibre of IT security staff, security governance processes, leadership from executives with responsibility for IT security, compliance with regulations, and lastly knowledge sharing with peers and partners.

Another key question is what stops an authority developing strong cyber security.

On a list of four issues, legacy systems was named as the top, followed by lack of cash for investment, lack of in-house knowledge and ‘other important priorities’.

Just over half of respondents (52%) expected their investment to increase over the next year while 33% said it would stay the same.

As to what level in the organisation cyber security is discussed, the IT department was named by 72% of respondents followed by the chief executive or corporate management team (named by 63%), then users (50%).

As for working with partners to create a cyber security strategy, 65% said they were already working with security vendors or consultants, 55% were working with other public sector organisations, 39% with law enforcement/regulatory agencies and 41% with the National Cyber Security Centre.

In conclusion, our survey confirms the risks of cyber-attack and importance of addressing the threat – but will pressures on budgets and the growing demand for services allow councils to commit sufficient resources and develop the necessary skills to combat an escalating threat, particularly with the additional need to meet the requirements of General Data Protection Regulation?

Councils and the new legislation:

Councils are aware of General Data Protection Regulation (GDPR) but there is still some way to go before everyone will be ready to meet all of their obligations

The survey also asked about the new GDPR coming into force in May. Some 82% of respondents said they were aware of this, though a surprising 18% admitted they were not.

Most respondents said they were prepared for the new regulation by having a data protection officer in place. But fewer are ready to meet other requirements such as: the right to be forgotten (18%); cleansing of legacy data (13%); tighter consent processes (23%).

Respondents thought that the new regulation would be ‘challenging,’ ‘reduce the amount of information that is stored and shared’ and is ‘significant like the arrival of Freedom of Information again.’ On the positive side, respondents said it would strengthen information governance. Respondents also raised concerns about the increased need for resources, increased administrative complexity, and the potential for non-compliance fines.

The key findings of the survey were:

• Cyber security and the threat of cyber-attack is seen as critical by local authorities.
• The threat of cyber-attack is a clear and present danger for local councils today and it is on the rise.
• The right security technology and staff awareness are seen as the two most important ways to reduce the risk of cyber-attack.
• Legacy systems and a lack of money to invest are hampering efforts to reduce the risk of cyber-attacks.
• Lack of in-house skills and knowledge is another barrier and many local councils are working or would consider working with others to combat the threat.

BT’s top cyber security experts, Mike Pannell and Neil Mellor, comment on the findings here.

For your free daily news bulletin
Highways jobs

Social Worker - SGO & Connected Person Assessment Team

Essex County Council
Special Guardianship Order (SGO) & Connected Person Assessment Team The SGO and Connected Person's Assessment Team (North & Mid) first started in Apri England, Essex, Chelmsford
Recuriter: Essex County Council

Economy & Business Service Manager 

Harborough District Council
£49,350 to £52,368
Looking for an experienced manager who understands public sector responsibilities with the proven ability to deliver our ambitions. Market Harborough, Leicestershire
Recuriter: Harborough District Council

Head of Income and Financial Inclusion

The Royal Borough of Kensington & Chelsea Council
£48,800 - £66,000 per annum
You’ll have excellent interpersonal and communication skills, with a substantial track record of successful performance management. Kensington and Chelsea, London (Greater)
Recuriter: The Royal Borough of Kensington & Chelsea Council

Advanced Practitioner

The Royal Borough of Kensington & Chelsea Council
£33.600 - £45,400 per annum
Looking for an Advanced practitioner Social workers to join the Adult social services in the... Kensington and Chelsea, London (Greater)
Recuriter: The Royal Borough of Kensington & Chelsea Council

Adult Principle Social Worker

The Royal Borough of Kensington & Chelsea Council
£36,600 - £49,600 per annum
The successful candidate will be a passionate and skilled communicator with ability to work alongside operational Social Workers and... Kensington and Chelsea, London (Greater)
Recuriter: The Royal Borough of Kensington & Chelsea Council

Public Property

Latest issue - Public Property News

This issue of Public Property examines how public sector organisations can unlock the hidden value in their land, and why a new approach to construction could help boost the outcomes of the Government’s One Public Estate programme.

The December issue also considers why learnings from ancient cities could provide the key to promoting wellbeing in the modern built environment. It also contains a case study on how the London Borough of Westminster has provided high quality care for the elderly alongside a block of luxury apartments.

Register for your free digital issue