Sameer Dixit 24 January 2020

Simple steps to improve cybersecurity

Simple steps to improve cybersecurity image

There is currently a pressing need in the UK to deliver more and better local government services with smaller budgets and fewer resources. The most realistic way to meet this need is through increasing digitisation of local government services. But hidden in increasing local government digitisation is a huge trap: cybersecurity.

Unless local government maintains effective control over the security and confidentiality of its data systems, digitisation will simply increase the authorities' exposure to systems penetration and data theft.

Fortunately, councils can take some very simple steps to improve overall security, limit data loss, and accelerate organisational recovery in the case of a data breach, the most important of which is to understand, anticipate, and plan for cyberattacks.

Digital transformation and service improvement

With reduced budgets and the need to provide more for less, including addressing mounting challenges in social care, the focus for councils is increasingly shifting to determining how digital services can relieve budgetary pressure and improve public services. This concern is driving a move from face-to-face interactions to web-based services, with costs falling, often significantly.

Digital technologies can also help transform delivery of social care, enabling council social workers to better manage delivery of third-party-provided social care. Such technologies can help social workers determine whether the levels of care delivered by third parties continue to be appropriate for individual needs and allow social workers to anticipate and prevent individual care crises. Greater oversight and the ability to prevent crises in individual care can play an important role in relieving NHS services and maintaining elderly clients in better health in their own homes for longer.

But the transfer of more and more council services to online portals, and the creation of extended chains of digital interactions in social care (as well as in other council services), also creates more vulnerabilities and potential targets for hackers.

Attacks on local authorities growing

Local authorities in the UK face an average of 19.5 million cyberattacks a year, according to research by the campaign group Big Brother Watch. That equals 37 cyberattacks every minute on local authorities.

While cyberattacks were once largely carried out by individuals or small criminal groups attempting to extort money or cause disruption, the attacker profile has changed. Now cyberattacks are just as likely to be carried out by organised crime groups, by terrorists, or by malevolent state actors.

In many cases, this shift means attacker objectives and behaviour have changed, making attackers far more difficult to detect and stop. Attacker skill levels are increasing, and attackers are deploying far more sophisticated technology. High speed automated bots and IoT-related malware have replaced individual probing, resulting in cases where organisations' cyber defences can be devastated by an overwhelming attack originating inside corporate networks and systems. And worse is on the way. Attackers are shifting to AI-driven attacks, in which automation is supplemented by smart algorithms and deep learning systems. Building static defences against cognitive malware that can adapt and re-purpose, tying down bandwidth and CPU with spoof and feint attacks while carrying out real penetration undetected, is almost impossible without adopting very different approaches to defending organisational data and systems.

The alteration in hacker objectives and strategy is even more worrisome than the improved technology. It means that hackers are now taking a longer view to cyber intrusion, delving deeply into organisations’ systems and data. Rather than advertising their presence, today's hackers often spend months in systems, stealing multiple data sets that, when integrated, can compromise many individuals' privacy and identities.

GDPR is expanding in scope

The EU GDPR regulation that came into force in May 2018 adds another dimension to the need for local authorities to increase vigilance and maintain acceptable systems and network-wide security. What the Information Commissioner's Office (ICO) deems an acceptable level of security is a moving target that is picking up speed with time.

While in the early days of GDPR the ICO was content to allow a data breach of 6,500 records by Chelmsford Council to go without a fine, the ICO is increasingly ready to levy larger and larger fines against organisations that still haven't brought their security up to the level it expects.

In particular, the ICO expects increasingly prompt discovery and reporting of data breaches. That puts the onus on organisations to invigilate their data systems, continuously and thoroughly.

Simple steps to improving security

Despite the increasing range of cybersecurity threats that councils face, local authorities can take a number of simple steps to begin improving cybersecurity immediately.

The most important is this: take control. Don't leave things to chance.

Cybersecurity affects the entire organisation, including everyone in a council area whose personal data is held by the council. That makes cybersecurity a key issue for councils' corporate leadership teams. Change must come from the top. And that includes creating and nurturing a culture of data security throughout the authority.

Cybersecurity is just as much about the workplace habits and awareness of staff and elected members as it is about technical solutions. A culture in which staff members and elected members are vigilant and do not engage in risky practices with email, their own devices, or the Internet lies at the heart of securing the data of all council employees and stakeholders. Councils require a solid disaster recovery plan in the event of a security compromise or a technology malfunction. Resuming normal operations as quickly as possible is essential, and councils must plan just how to achieve this.

Part of a solid disaster recovery plan is having current backups of critical applications and data. Recent ransomware attacks have included actions to corrupt or delete backup data. With hackers now targeting backup drives, backup data must, as a minimum, be encrypted.

However, councils should also move their recovery backups off site, to locations that attackers cannot access through compromised systems. Such off-site storage should allow rapid recovery of council services on new, bare-metal servers.

Councils also need a separate plan to deal with GDPR issues that might arise from a data breach. The ICO expects prompt reporting of breach incidents, and part of dealing with a data breach (or any other kind of data security incident) is immediate fulfillment of councils' GDPR legal requirements. That means documenting in advance whom to contact within the ICO and what information will be required. But it also means being able to establish very rapidly the extent of a data breach, the length of incursion, what data records were breached, and the privacy implications of the breach.

All of these steps require that councils understand that they have been compromised. Hacker strategies increasingly make it as difficult as possible for organisations to realise that they have been attacked and penetrated. To counter this, councils should carry out periodic penetration testing, continuously scanning and monitoring their networks to detect suspicious or malicious activity in real time.

Vulnerability scanning and data breach emulation can help councils identify weak spots in their IT infrastructures before they are exploited. Given the sheer scale and volume of attacks on UK local authorities, it is becoming increasingly vital to automate security testing processes and carry out continuous data breach emulation and vulnerability scanning.

Taking control

Local authorities face a quandary. They must find ways to improve services, including care of the elderly and vulnerable, while making do with significantly smaller budgets and fewer resources.

Digital transformation offers a way to achieve these goals. But digital transformation can also increase exposure to increasingly sophisticated, determined, and organised hackers. Councils have no alternative but to pursue digital transformation of services. But corporate leadership teams must take the lead in cybersecurity and transform the culture of security throughout the authority.

Thorough planning and preparation must be matched by increased vigilance and surveillance. Authorities must know when they have been compromised, take immediate steps to re-secure their systems and data, and provide timely notice to the ICO of breaches under GDPR. And to achieve that, vulnerability scanning and data breach emulation must be enabled, automated, and made continuous.

Local authorities hold public data and their employees’ data on trust. Providing the best security for that data is as much a public service as any of the other services that authorities provide.

Sameer Dixit is vice president, security consulting at Spirent Communications

SIGN UP
For your free daily news bulletin
Highways jobs

Social Worker - Children with Disabilities - West

Essex County Council
£30001.0 - £41000.0 per month
In Essex County Council we are "Serious about Social Work". Having recently won the Best Social Work Employer of the Year Award 2018 and been awarded England, Essex, Harlow
Recuriter: Essex County Council

Education Legal Services Officer

Essex County Council
Negotiable
Please note that there are 2 positions available, 1 permanent position and 1 fixed term position for 12 months. Essex County Council has embarked upon England, Essex, Chelmsford
Recuriter: Essex County Council

Project Support Officer

The Royal Borough of Kensington & Chelsea Council
£25,833 - £29,796 per annum
This role supports the project delivery and business operations of the Asset Strategy and Short Breaks Teams, ensuring that regular business runs... Kensington and Chelsea, London (Greater)
Recuriter: The Royal Borough of Kensington & Chelsea Council

Data Administrator

The Royal Borough of Kensington & Chelsea Council
£25,833 - £29,796 per annum
You must have excellent ICT skills to include Excel and Word, plus experience of using email. Kensington and Chelsea, London (Greater)
Recuriter: The Royal Borough of Kensington & Chelsea Council

Team Manager - Corporate Support

Epping Forest District Council
£33,500 - £36,401 (doe) plus excellent benefits
To be successful you will have previous experience in a Team Management role in service delivery with a focus on continuous improvement. Essex
Recuriter: Epping Forest District Council

Public Property

Latest issue - Public Property News

This issue of Public Property examines how public sector organisations can unlock the hidden value in their land, and why a new approach to construction could help boost the outcomes of the Government’s One Public Estate programme.

The December issue also considers why learnings from ancient cities could provide the key to promoting wellbeing in the modern built environment. It also contains a case study on how the London Borough of Westminster has provided high quality care for the elderly alongside a block of luxury apartments.

Register for your free digital issue