A quarter of local authority respondents have had a cyber security breach in the past year according to a survey by The MJ and BT which also found that most regard strong cyber security as a key part of their digital transformation strategy.

Looking at the results in detail, respondents are certainly aware of the risk of malware and ransomware which featured among their top five areas of cyber security threats.

They also named phishing attacks, accidental sharing of data in contravention of the Data Prevention Act and poor secure email.

One respondent referred to ‘the sheer weight of the number of threats being intercepted on a daily basis by the IT team.’

In the last 12 months 24% of respondents said they had suffered a cyber security breach with varying levels of damage. Some had successful ransomware defences, some had their IT teams working through the night to delete locked files and recover data from back-up and one said their council had three days of disruption of services.

Responses to such attacks were extra investment on staff training and security software and enhancement of firewalls. An overwhelming 82% of respondents expected the risk of attacks to increase over the next year, none expected them to decrease, and only 18% said the risk would stay the same. There was clear concern about the probability of a cyber-attack with almost a third on a scale of one to five (with five the highest probability) naming five and another 36% naming it as a three.

Almost 60% of respondents also agreed that the impact of a cyber-attack was potentially catastrophic while three-quarters named it as important compared to other risks.

Respondents regarded reputational damage arising from the impact of a cyber security breach as the biggest concern, followed by financial penalties, personal liability, disruption of service delivery and, loss of citizen confidence in online services and data loss.

Most respondents regarded strong cyber security as an important part of their organisation’s digital transformation strategy, with 57% naming it as a critical part. The question is how can councils mitigate the risk of cyber-attacks?

Overall, respondents felt that the two most critical ways of reducing the risks were the right security technology (73% of responses) and security awareness across all staff (77% responses).

Next in descending order were the skills and calibre of IT security staff, security governance processes, leadership from executives with responsibility for IT security, compliance with regulations, and lastly knowledge sharing with peers and partners.

Another key question is what stops an authority developing strong cyber security.

On a list of four issues, legacy systems was named as the top, followed by lack of cash for investment, lack of in-house knowledge and ‘other important priorities’.

Just over half of respondents (52%) expected their investment to increase over the next year while 33% said it would stay the same.

As to what level in the organisation cyber security is discussed, the IT department was named by 72% of respondents followed by the chief executive or corporate management team (named by 63%), then users (50%).

As for working with partners to create a cyber security strategy, 65% said they were already working with security vendors or consultants, 55% were working with other public sector organisations, 39% with law enforcement/regulatory agencies and 41% with the National Cyber Security Centre.

In conclusion, our survey confirms the risks of cyber-attack and importance of addressing the threat – but will pressures on budgets and the growing demand for services allow councils to commit sufficient resources and develop the necessary skills to combat an escalating threat, particularly with the additional need to meet the requirements of General Data Protection Regulation?

Councils and the new legislation:

Councils are aware of General Data Protection Regulation (GDPR) but there is still some way to go before everyone will be ready to meet all of their obligations

The survey also asked about the new GDPR coming into force in May. Some 82% of respondents said they were aware of this, though a surprising 18% admitted they were not.

Most respondents said they were prepared for the new regulation by having a data protection officer in place. But fewer are ready to meet other requirements such as: the right to be forgotten (18%); cleansing of legacy data (13%); tighter consent processes (23%).

Respondents thought that the new regulation would be ‘challenging,’ ‘reduce the amount of information that is stored and shared’ and is ‘significant like the arrival of Freedom of Information again.’ On the positive side, respondents said it would strengthen information governance. Respondents also raised concerns about the increased need for resources, increased administrative complexity, and the potential for non-compliance fines.

The key findings of the survey were:

• Cyber security and the threat of cyber-attack is seen as critical by local authorities.
• The threat of cyber-attack is a clear and present danger for local councils today and it is on the rise.
• The right security technology and staff awareness are seen as the two most important ways to reduce the risk of cyber-attack.
• Legacy systems and a lack of money to invest are hampering efforts to reduce the risk of cyber-attacks.
• Lack of in-house skills and knowledge is another barrier and many local councils are working or would consider working with others to combat the threat.

BT’s top cyber security experts, Mike Pannell and Neil Mellor, comment on the findings here.