Michael Burton 09 April 2018

Meeting the cyber security threat: are you ready?

Meeting the cyber security threat: are you ready? image

A quarter of local authority respondents have had a cyber security breach in the past year according to a survey by The MJ and BT which also found that most regard strong cyber security as a key part of their digital transformation strategy.

Looking at the results in detail, respondents are certainly aware of the risk of malware and ransomware which featured among their top five areas of cyber security threats.

They also named phishing attacks, accidental sharing of data in contravention of the Data Prevention Act and poor secure email.

One respondent referred to ‘the sheer weight of the number of threats being intercepted on a daily basis by the IT team.’

In the last 12 months 24% of respondents said they had suffered a cyber security breach with varying levels of damage. Some had successful ransomware defences, some had their IT teams working through the night to delete locked files and recover data from back-up and one said their council had three days of disruption of services.

Responses to such attacks were extra investment on staff training and security software and enhancement of firewalls. An overwhelming 82% of respondents expected the risk of attacks to increase over the next year, none expected them to decrease, and only 18% said the risk would stay the same. There was clear concern about the probability of a cyber-attack with almost a third on a scale of one to five (with five the highest probability) naming five and another 36% naming it as a three.

Almost 60% of respondents also agreed that the impact of a cyber-attack was potentially catastrophic while three-quarters named it as important compared to other risks.

Respondents regarded reputational damage arising from the impact of a cyber security breach as the biggest concern, followed by financial penalties, personal liability, disruption of service delivery and, loss of citizen confidence in online services and data loss.

Most respondents regarded strong cyber security as an important part of their organisation’s digital transformation strategy, with 57% naming it as a critical part. The question is how can councils mitigate the risk of cyber-attacks?

Overall, respondents felt that the two most critical ways of reducing the risks were the right security technology (73% of responses) and security awareness across all staff (77% responses).

Next in descending order were the skills and calibre of IT security staff, security governance processes, leadership from executives with responsibility for IT security, compliance with regulations, and lastly knowledge sharing with peers and partners.

Another key question is what stops an authority developing strong cyber security.

On a list of four issues, legacy systems was named as the top, followed by lack of cash for investment, lack of in-house knowledge and ‘other important priorities’.

Just over half of respondents (52%) expected their investment to increase over the next year while 33% said it would stay the same.

As to what level in the organisation cyber security is discussed, the IT department was named by 72% of respondents followed by the chief executive or corporate management team (named by 63%), then users (50%).

As for working with partners to create a cyber security strategy, 65% said they were already working with security vendors or consultants, 55% were working with other public sector organisations, 39% with law enforcement/regulatory agencies and 41% with the National Cyber Security Centre.

In conclusion, our survey confirms the risks of cyber-attack and importance of addressing the threat – but will pressures on budgets and the growing demand for services allow councils to commit sufficient resources and develop the necessary skills to combat an escalating threat, particularly with the additional need to meet the requirements of General Data Protection Regulation?

Councils and the new legislation:

Councils are aware of General Data Protection Regulation (GDPR) but there is still some way to go before everyone will be ready to meet all of their obligations

The survey also asked about the new GDPR coming into force in May. Some 82% of respondents said they were aware of this, though a surprising 18% admitted they were not.

Most respondents said they were prepared for the new regulation by having a data protection officer in place. But fewer are ready to meet other requirements such as: the right to be forgotten (18%); cleansing of legacy data (13%); tighter consent processes (23%).

Respondents thought that the new regulation would be ‘challenging,’ ‘reduce the amount of information that is stored and shared’ and is ‘significant like the arrival of Freedom of Information again.’ On the positive side, respondents said it would strengthen information governance. Respondents also raised concerns about the increased need for resources, increased administrative complexity, and the potential for non-compliance fines.

The key findings of the survey were:

• Cyber security and the threat of cyber-attack is seen as critical by local authorities.
• The threat of cyber-attack is a clear and present danger for local councils today and it is on the rise.
• The right security technology and staff awareness are seen as the two most important ways to reduce the risk of cyber-attack.
• Legacy systems and a lack of money to invest are hampering efforts to reduce the risk of cyber-attacks.
• Lack of in-house skills and knowledge is another barrier and many local councils are working or would consider working with others to combat the threat.

BT’s top cyber security experts, Mike Pannell and Neil Mellor, comment on the findings here.

SIGN UP
For your free daily news bulletin
Highways jobs

Senior Practitioner - Homeless Youth Specialist

Essex County Council
£39168 - £42254 per annum + + Free Parking & Great Benefits
You will need to undertake assessments and work closely with 16/17 year old young people that are considered by the council as homeless or potentially England, Essex, Basildon
Recuriter: Essex County Council

ASC Social Worker - Colchester Hospital Team

Essex County Council
£30906 - £42254 per annum
This is a full time role for a fixed term of 6 months. Essex County Council continues to review its ways of working during the ongoing Covid-19 pand England, Essex, Colchester
Recuriter: Essex County Council

Social Worker – Safeguarding Team

North Yorkshire County Council
£30,451 - £35,745 per annum pro rata 
We are looking for experienced or newly qualified Social Workers to join our highly regarded and... Selby, North Yorkshire
Recuriter: North Yorkshire County Council

Chief Executive

Sandwell Children's Trust
c.£140k
This is an exciting proposition for a senior leader who is able to take us to the next level in our improvement journey. Sandwell, West Midlands
Recuriter: Sandwell Children's Trust

Experienced Social Workers

Kirklees Metropolitan Council
£30,507 - £38,813
We are currently recruiting experienced social workers. Sandwell, West Midlands
Recuriter: Kirklees Metropolitan Council

Public Property

Latest issue - Public Property News

This issue of Public Property examines how how flexible workspaces can lead the way in regeneration for local authorities, Why local authority intervention is key to successful urban regeneration schemes and if the Government’s challenge of embracing beauty is an opportunity for communities.

The March issue also takes a closer look at Blackburn with Darwen Council's first digital health hub to help people gain control over health and care services.

Register for your free digital issue