Councils failing on cyber-security, say campaigners

News by Mark Mayne

UK councils are suffering from a lack of training in the face of a vast number of cyber attacks, averaging 37 attacks per minute, according to a new report.

UK councils are suffering from a lack of training in the face of a vast number of cyber-attacks, averaging 37 attacks per minute, according to a new report.  

More than 25 percent of UK councils have suffered a breach of their systems in the last five years, according to a report from privacy group Big Brother Watch.

The group submitted a range of freedom of information (FOI) requests, and found that 114 councils experienced at least one incident between 2013 and 2017. Of those, 25 reported they had experienced data loss as a result.

The report estimates the number of cyber-attacks on local authorities at 98 million between 2013 and 2017, or an average of 37 attacks per minute.

The most common successful tactic to compromise a UK council system is via a phishing email, according to the data, which consists of responses from 395 local authorities.

Raj Samani, chief scientist and fellow at McAfee said: “One of the greatest concerns around today's news that such a great number of council computer systems have been breached is the previous lack of communication around these attacks. Unless made aware, potential victims – the citizens that they're serving – are unable to protect themselves, whether by changing passwords or more closely monitoring for instances of fraud.

“Unfortunately, few public sector organisations have the budget to invest in greater human resources to combat the growing cyber threat. Instead, IT and security teams are having to take more intelligent approaches to solving the problem. One way is through automating certain processes, removing simple repetitive activities that enable them to put their energy into planning their defences against the wider threat landscape.”

The report found that three-quarters of councils did not provide mandatory cyber-security training, and 16 percent did not provide any at all. Rob Wilkinson, local government security specialist, Smoothwall told SC Media UK that he agreed that training will increasingly be a key element for councils and business alike: “I would strongly urge all local governments to shore up their web security measures, but this is an educational exercise as well. Employees who work at these councils aren't necessarily being trained properly to spot a phishing attack. It only takes one slip for a hacker to gain access to the organisation's systems, so a thorough and consolidated cyber-training programme is an absolute must for any governmental body in 2018 and beyond.”

Patrick Hunter, director, One Identity took a sympathetic stance: “When articles like these are published we're supposed to be shocked and dismayed at the poor level of protection put in place by our councils. They are going to be the hardest hit, always. They are the keepers of much of our personal data and also, sadly, they are then imitated to try and fool the general public into clicking things that they shouldn't.  We only have to look at the funding and spend on public sector security to know that they are on the case but keeping up with a determined hacker is always going to be hard.  This is true even in the private sector.


“The councils have confirmed that there has been data loss and yet we can see that it is the human aspect that has let them down.  They know they need more training and they need to work with the National Cyber Security Centre to get the best protection our personal data can get.  Let's hope they get on and fix that final aspect of security – us, the people.”

However, as the May 2018 deadline for conformity with the new GDPR regulations draws closer, it is certainly the case that public bodies and enterprise alike need to sharpen up on new, more demanding data retention and breach notification legislation.

Andy Norton, director of threat intelligence, Lastline said: “The onset of GDPR in May could very well be a breaking point for Local Government. According to a survey done by the society for internet practitioners in the Public Sector in 2017, 2.4 percent of authorities revenues get spent on IT. It is already an austere situation of local authorities and the risk exposure to GDPR fines is largely unmanaged with the current level of protection being far from state of the art.”

Anthony Chadd, senior director, EMEA, Neustar told SC Media UK that public bodies could do worse than emulate the NHS on cyber-security: “In order to successfully guard against the work of intelligent cyber-criminals, as well as effectively combat the chance of human error along the way, councils can look to the NHS for lessons in best-practice.

“By deploying new operational centres to protect patient data from the threat of hackers, and hiring white hat hackers as part of a £20 million investment, the NHS has recognised the appalling consequences of data breaches, and is dedicating resources to fix vulnerabilities across its IT systems. These moves represent the first steps towards an innovative security programme in the public sector.

“With the recent WannaCry attack acting as a warning for the whole of the public sector, and the cyber-landscape only set to become more problematic, it really is now or never for councils to put the necessary plans in place to fix any gaps hackers may work their way into.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews