No more reasons for cyber security vulnerabilities in councils
Guest blog: Peter Dewsbury, director at Arcus Global as part of our #DigitalPlace week.
Breaches of cyber security are a significant risk to every business and individual, but are increasingly affecting local government. Recovering from the February 2020 ransomware attack that reduced Redcar & Cleveland Council to using pen and paper for critical processes, was estimated to have cost over £10.5m - three times their 2019 central ICT budget.
However, you no longer need to manage the majority of cyber security risks yourself - you can instead transfer much of it to the cloud. You can also make it much simpler to secure, keeping the assets that you do retain (like hardware, office infrastructure and on-premise legacy solutions) by utilising tools to keep track of the security and compliance status of your entire estate, without having to employ a large security team of your own. With modern infrastructures, there’s no need to let an organisation suffer widespread cyber security disruptions.
A new threat landscape
Cyber security threats are nothing new, but they have come a long way from the playful efforts of researchers (notably the creeper programme back in 1971) to the willful destruction of the Melissa virus and, more recently, it has become a new frontier for military conflict and organised crime.
Not only that but ransomware, encrypting and preventing access to victims’ digital content, is today increasingly proving a particularly effective method of extortion. As a side note, the UK NCSC has excellent guidance on how to deal with them.
With the remote working commonplace in councils since the pandemic began, end-user devices such as laptops, phones and tablets are now at the forefront of your security defences. But keeping track of and securing these loosely-connected devices is a bigger challenge than ever.
Straightforward actions to minimise and mitigate risk
Here are the best ways for councils to minimise their risk:
Shrink your attack surface by maximising the proportion of your technology that is managed on ‘enterprise grade’ cloud computing platforms.Preferably Software-as-a-Service so you have less responsibility for security.
Control the rest by implementing tools and processes to give you visibility of the assets that you retain (including those managed by third parties) so you can address issues before they result in a cyber security breach.
When employing cloud services it is crucial to understand what elements of security you are responsible for and how confident you should be in the service provider doing a good job of the elements they are responsible for.
The challenge of securing multiple suppliers, data centres and clouds can sometimes seem insurmountably complex. However, modern approaches such as SaaS and IaaS provide a wealth of security data that you can leverage and ensure the basics are in place, while also demonstrating compliance to management, boards and auditors.
In general, large scale SaaS providers will give you the greatest transfer of security responsibilities and shield you from most risk, but you will still need to think about issues like user authentication and access, how citizen data is protected and consider how to recover that data in the case of loss or damage due to human error. After all, sometimes the biggest threat comes from inside.
Keeping on top of all your technology assets and understanding their respective level of cyber risk is complex and time consuming and difficult to achieve without the scale of network and security operations centres. There’s nothing to be gained from going it alone.
Considering the above, there are some vital questions local authorities should ask themselves when assessing their cyber capabilities.
Have we done everything we can to minimise the attack surface available to cyber criminals?
Have we maximised our use of genuine SaaS to leave experts in charge of specialist security work?
For everything else, are we confident that we have the security basics in place such as antivirus, patching and device management?
Can we proactively identify issues with our cyber posture (such as uncontrolled or non-compliant devices), and is MI available for management oversight?
Are we confident that we could pass an audit, or will we not know until one is started?
Once these things are thought about and actioned, there’s no reason why a local authority should become particularly vulnerable to cyber attacks. The threat landscape has changed over the years, but adapting and employing the right solutions to tackle it is key. No council wants to compromise precious citizen data, and with the right foundations in place, no council will.
Georgina Maratheftis
Associate Director, Local Public Services, techUK
Georgina Maratheftis
Associate Director, Local Public Services, techUK
Georgina is techUK’s Associate Director for Local Public Services
Georgina works with suppliers that are active or looking to break into the market as well as with local public services to create the conditions for meaningful transformation. techUK regularly bring together local public services and supplier community to horizon scan and explore how the technologies of today and tomorrow can help solve some of the most pressing problems our communities face and improve outcomes for our people and places.
Prior to techUK, Georgina worked for a public policy events company where she managed the policy briefing division and was responsible for generating new ideas for events that would add value to the public sector. Georgina worked across a number of portfolios from education, criminal justice, and health but had a particular interest in public sector transformation and technology. Georgina also led on developing relationships across central and local government.
If you’d like to learn more about techUK, or want to get involved, get in touch.
Programme Manager, Local Public Services and Nations and Regions, techUK
Ileana Lupsa
Programme Manager, Local Public Services and Nations and Regions, techUK
Ileana Lupsa is the Programme Manager for Local Public Services and Nations and Regions, at techUK.
Ileana studied electronics, telecommunications and IT as an undergraduate, followed by an MSc in engineering and project management at Coventry University.
She refined her programme management expertise through her most recent roles working in the automotive industry.
Ileana is passionate about sustainability and creating a positive impact globally through innovation.
Tracy supports several areas at techUK, including Cyber Exchange, Cyber Security, Defence, Health and Social Care, Local Public Services, Nations and Regions and National Security.
Tracy joined techUK in March 2022, having worked in the education sector for 19 years, covering administration, research project support, IT support and event/training support. My most outstanding achievement has been running three very successful international conferences and over 300 training courses booked all over the globe!
Tracy has a great interest in tech. Gaming and computing have been a big part of her life, and now electric cars are an exciting look at the future. She has warmed to Alexa, even though it can sometimes be sassy!
Alison Young is the Associate Director Local Public Services.
Alison has background in International Trade & Investment, with experience in the public, private and third sector, advising on international trade, new markets, inward investment and working closely with UK cities and regions around investment into innovation and partnerships and technology. Prior to joining techUK, she has her own consulting business and was Head of Global Investment with the Connected Places Catapult. This role had a focus on FDI around the built environment and mobility, working across NetZero mobility projects in the UK and globally. She worked closely with the Innovation Districts Group, to foster and network of knowledge sharing and helped set up the Freeport Innovation Network, to foster innovation in the context of freeports with a focus on investment.
She spent six years living and working in the Middle East, with the Department for Business and Trade. Based first in Oman, leading on a number of sectors, from Education to Infrastructure, then based in the UAE, setting up the Technology and Smart Cities sector, with a core focus on AI and Fintech.
She is passionate about economic growth for the UK, to create jobs and opportunities; the green agenda and the decarbonisation of transport. She has a degree in Russian Studies MA, from the University of Edinburgh and is currently learning Arabic.