Councils spend far more on health and safety training than they do on IT security according to a newly-disclosed Freedom of Information (FOI) release. Filed by cyber-security company Citrix, the FOI shows how UK local councils spend up to eight times more on health and safety training than they do on data protection and IT security training.
While councils spend an average of £27,818 on health and safety training, they spend a comparatively small £3,378 on training for data protection and IT security. A large majority, 86 percent, spent nothing at all on training in IT security in the past year.
Another revelation from this particular FOI campaign has also revealed that over a third of devices issued by councils could be vulnerable, due not only to a lack of security spending, but to having no enterprise grade software installed. In the last couple of years, 56,000 smart devices have been issued by the respondent authorities, but nearly 40 percent of those aren't protected by enterprise grade software.
All this data was compiled through a series of FOI requests to send to 129 councils around the UK. The requests asked for expenditures over the last two years on various training courses, including but by no means exclusive to data protection and IT security.
It should be said that there are 418 principle councils in the UK, meaning that the data only reflects findings from the 109 councils that responded.
Stephen Gates, chief research intelligence analyst at NSFOCUS offered some insight to SCMagazineUK.com. Traditionally, health and safety training has allowed organisations to avoid costly and damaging events like on-the-job injuries or loss of life.
On the other hand, “cyber-crime-related incidents haven't.” Perhaps not for long though, said Gates, “as the costs to victims of cyber-crime continues to rise, and at times is spinning out of control. Not only are organisations feeling the damages caused by the crime itself, they're also finding themselves in the crosshairs of regulators who impose fines and penalties after the fact - that only add to their losses. There needs to be a balance whereby IT training is just as important to an organisation's bottom-line as health and safety training.”
Cyber-attacks on local authorities are not known to be common, but they are far from rare. Another FOI request, carried out by Avecto, showed that at least 30 percent of local councils suffered at least one ransomware attack in 2015. Other high profile cases have included a ransomware attack on Lincolnshire council, which was quickly resolved early this year.
Mark James, security specialist, ESET told SC that councils just don't face the same problems that businesses do:
“Sadly investing in IT security usually falls quite low in the spending list for most local authorities. The consequences for failures in IT security are significantly lower than other areas with no clear guidelines on what constitutes a failure. If you back that up with unsuccessful or fairly insignificant fines, in most cases it's easier to do something about it after it happens than before.”
IT security is hard enough for a specialist, training employees often becomes an extra strain, “in most cases within this industry people's daily workload gets increased, hours get reduced and within that staff are still required to be responsible themselves for security.”This data may not give us the full picture, added Kirill Slavin, managing director, UK and Ireland at Kaspersky Lab: “It is important to note that when it comes to spend on data protection and IT security training, the UK Government is likely to facilitate at a national level, rather than leaving to local authorities to determine. Such protection and training needs to be robust and work across multiple areas and online tools. Therefore, the findings by Citrix need to be reviewed in this light.”