There is currently a pressing need in the UK to deliver more and better local government services with smaller budgets and fewer resources. The most realistic way to meet this need is through increasing digitisation of local government services. But hidden in increasing local government digitisation is a huge trap: cybersecurity.
Unless local government maintains effective control over the security and confidentiality of its data systems, digitisation will simply increase the authorities' exposure to systems penetration and data theft.
Fortunately, councils can take some very simple steps to improve overall security, limit data loss, and accelerate organisational recovery in the case of a data breach, the most important of which is to understand, anticipate, and plan for cyberattacks.
Digital transformation and service improvement
With reduced budgets and the need to provide more for less, including addressing mounting challenges in social care, the focus for councils is increasingly shifting to determining how digital services can relieve budgetary pressure and improve public services. This concern is driving a move from face-to-face interactions to web-based services, with costs falling, often significantly.
Digital technologies can also help transform delivery of social care, enabling council social workers to better manage delivery of third-party-provided social care. Such technologies can help social workers determine whether the levels of care delivered by third parties continue to be appropriate for individual needs and allow social workers to anticipate and prevent individual care crises. Greater oversight and the ability to prevent crises in individual care can play an important role in relieving NHS services and maintaining elderly clients in better health in their own homes for longer.
But the transfer of more and more council services to online portals, and the creation of extended chains of digital interactions in social care (as well as in other council services), also creates more vulnerabilities and potential targets for hackers.
Attacks on local authorities growing
Local authorities in the UK face an average of 19.5 million cyberattacks a year, according to research by the campaign group Big Brother Watch. That equals 37 cyberattacks every minute on local authorities.
While cyberattacks were once largely carried out by individuals or small criminal groups attempting to extort money or cause disruption, the attacker profile has changed. Now cyberattacks are just as likely to be carried out by organised crime groups, by terrorists, or by malevolent state actors.
In many cases, this shift means attacker objectives and behaviour have changed, making attackers far more difficult to detect and stop. Attacker skill levels are increasing, and attackers are deploying far more sophisticated technology. High speed automated bots and IoT-related malware have replaced individual probing, resulting in cases where organisations' cyber defences can be devastated by an overwhelming attack originating inside corporate networks and systems. And worse is on the way. Attackers are shifting to AI-driven attacks, in which automation is supplemented by smart algorithms and deep learning systems. Building static defences against cognitive malware that can adapt and re-purpose, tying down bandwidth and CPU with spoof and feint attacks while carrying out real penetration undetected, is almost impossible without adopting very different approaches to defending organisational data and systems.
The alteration in hacker objectives and strategy is even more worrisome than the improved technology. It means that hackers are now taking a longer view to cyber intrusion, delving deeply into organisations’ systems and data. Rather than advertising their presence, today's hackers often spend months in systems, stealing multiple data sets that, when integrated, can compromise many individuals' privacy and identities.
GDPR is expanding in scope
The EU GDPR regulation that came into force in May 2018 adds another dimension to the need for local authorities to increase vigilance and maintain acceptable systems and network-wide security. What the Information Commissioner's Office (ICO) deems an acceptable level of security is a moving target that is picking up speed with time.
While in the early days of GDPR the ICO was content to allow a data breach of 6,500 records by Chelmsford Council to go without a fine, the ICO is increasingly ready to levy larger and larger fines against organisations that still haven't brought their security up to the level it expects.
In particular, the ICO expects increasingly prompt discovery and reporting of data breaches. That puts the onus on organisations to invigilate their data systems, continuously and thoroughly.
Simple steps to improving security
Despite the increasing range of cybersecurity threats that councils face, local authorities can take a number of simple steps to begin improving cybersecurity immediately.
The most important is this: take control. Don't leave things to chance.
Cybersecurity affects the entire organisation, including everyone in a council area whose personal data is held by the council. That makes cybersecurity a key issue for councils' corporate leadership teams. Change must come from the top. And that includes creating and nurturing a culture of data security throughout the authority.
Cybersecurity is just as much about the workplace habits and awareness of staff and elected members as it is about technical solutions. A culture in which staff members and elected members are vigilant and do not engage in risky practices with email, their own devices, or the Internet lies at the heart of securing the data of all council employees and stakeholders. Councils require a solid disaster recovery plan in the event of a security compromise or a technology malfunction. Resuming normal operations as quickly as possible is essential, and councils must plan just how to achieve this.
Part of a solid disaster recovery plan is having current backups of critical applications and data. Recent ransomware attacks have included actions to corrupt or delete backup data. With hackers now targeting backup drives, backup data must, as a minimum, be encrypted.
However, councils should also move their recovery backups off site, to locations that attackers cannot access through compromised systems. Such off-site storage should allow rapid recovery of council services on new, bare-metal servers.
Councils also need a separate plan to deal with GDPR issues that might arise from a data breach. The ICO expects prompt reporting of breach incidents, and part of dealing with a data breach (or any other kind of data security incident) is immediate fulfillment of councils' GDPR legal requirements. That means documenting in advance whom to contact within the ICO and what information will be required. But it also means being able to establish very rapidly the extent of a data breach, the length of incursion, what data records were breached, and the privacy implications of the breach.
All of these steps require that councils understand that they have been compromised. Hacker strategies increasingly make it as difficult as possible for organisations to realise that they have been attacked and penetrated. To counter this, councils should carry out periodic penetration testing, continuously scanning and monitoring their networks to detect suspicious or malicious activity in real time.
Vulnerability scanning and data breach emulation can help councils identify weak spots in their IT infrastructures before they are exploited. Given the sheer scale and volume of attacks on UK local authorities, it is becoming increasingly vital to automate security testing processes and carry out continuous data breach emulation and vulnerability scanning.
Local authorities face a quandary. They must find ways to improve services, including care of the elderly and vulnerable, while making do with significantly smaller budgets and fewer resources.
Digital transformation offers a way to achieve these goals. But digital transformation can also increase exposure to increasingly sophisticated, determined, and organised hackers. Councils have no alternative but to pursue digital transformation of services. But corporate leadership teams must take the lead in cybersecurity and transform the culture of security throughout the authority.
Thorough planning and preparation must be matched by increased vigilance and surveillance. Authorities must know when they have been compromised, take immediate steps to re-secure their systems and data, and provide timely notice to the ICO of breaches under GDPR. And to achieve that, vulnerability scanning and data breach emulation must be enabled, automated, and made continuous.
Local authorities hold public data and their employees’ data on trust. Providing the best security for that data is as much a public service as any of the other services that authorities provide.
Sameer Dixit is vice president, security consulting at Spirent Communications