The growing reliance on information technology and the increasing use of the internet for personal and business transactions provide many opportunities for growth, but also open the door to potentially catastrophic cyber threats. With the sudden shift to remote working because of the COVID-19 pandemic, local authorities increasingly rely on the internet for practically all aspects of business. Councillors especially carry out much of their work online, from corresponding with local residents and businesses to reviewing documents and conducting scrutiny meetings.
The increased reliance on remote and digital methods of work and communication has opened the door to an exponential increase in cyber attacks. As local government staff have migrated from the secure working confines of their council’s office network, the risk of cyber attack – malicious or benign – is now more pronounced than ever.
Local authorities are a prime target for cyber attacks, due to the disruption that can be caused if they are breached, as well as the large amount of personal data that they hold. An instructive example of the damage these malicious activities can wreak is the WannaCry cyber attack in May of 2017. This attack disrupted approximately 80 NHS trust bodies, in some cases preventing medical staff from using equipment such as MRI scanners.
In 2018, a Local Government Association Stock Take analysed the cyber security of local authorities across England. It found that 90% scored ‘amber’ on the scale, with only a small portion under or over-performing. One of the main take-aways from this survey was that training and awareness of cyber security offered the greatest room for improvement.
Within the local government environment, national government-mandated protocols for data management and anti-virus protections are in already in place. However, these protections often prevent only certain attacks, and do not provide true immunity against cyber infection. This is true especially because the greatest cyber risks currently come from within an organisation, posed by employees themselves.
People represent the weakest link in any organisation’s cyber security system—in fact, more than a third of data breaches are caused or enabled by company staff. Some employees fall victim to email scams or unintentionally share data, but in some cases a disgruntled current or former employee may deliberately leak confidential data or compromise an organisation’s systems.
Councillors and officers receive multiple emails every day. Most are legitimate, but some will inevitably be attempted cyber attacks. It is vital that councillors and officers are trained to spot these scams and act appropriately – deleting, quarantining and reporting them.
Following simple guidelines can significantly decrease the risk of being a victim of phishing. Local government organisations should gauge awareness of email safety, and provide appropriate training on spotting increasingly sophisticated cyber scams. Councillors and officers should know how to recognise phishing scams and other cyber attacks, such as spoofing, and how to decide whether or not it’s safe to click on a link. Some guidelines to share with employees to protect the cyber health of an organisation include:
- Observing whether anything in an email looks unusual
- Noticing incorrect grammar and misspellings
- Verifying the legitimacy of the source and domain name
- Noting discrepancies or mistakes in how the email has been addressed, especially if is addressed generically rather than to the recipient’s name
Councillors and officers should also be made aware that top-of-mind issues, such as COVID-19, are commonly what hackers and other cyber criminals use as a hook to breach and compromise networks, preying on concerns about a current issue, often with a promise to learn more. Mindfulness of this ploy is often all that is required to help employees identify malicious communications.
What Councils Can Do
Councils must operate on the basis of ‘when,’ not ‘if,’ a data breach will occur. Equipping councillors and officers with knowledge of cyber security is only the first step in preventing cyber infection. Since councils handle the data of their local businesses and residents, they must have protections in place that meet or exceed government standards, and are in line with the GDPR. Councils also need knowledgeable IT staff who are responsible for helping meet and achieve the standards set by the government.
Councillors must also take a leadership role in exercising cyber stewardship for their local government and for local small businesses. Measures to build cyber immunity should include training for all council employees and those who have access to sensitive data. Effective training includes clear explanations of why security policies and processes are put in place, to ensure that employees are engaged and committed to the team effort of protecting the association from cyber intrusions. Providing training on cyber security for new employees provides a baseline of cyber safety.
In their roles as cyber stewards, Councillors should also share effective cyber security measures and resources and guidelines with the local community. For example, programs such as the NCSC 10 Steps to Cyber Security are vital knowledge for small businesses.
Local government organisations have a responsibility to demonstrate that they are secure against cyber attacks and they are positioned to help their communities build cyber resilience as well.
You can’t protect what you can’t see or know
To get a full picture of existing and potential cyber threats, weaknesses and vulnerabilities, book a FREE one-on-one consultation with a Cyber Immunity Expert today.
Call: +44 (0) 203 405 6453