The council of the future must prepare itself for the likelihood that a cyber-attack will occur: a case of ‘when not if’. Councils are already well rehearsed in responding to traditional risks like fires, floods and extreme weather conditions, as well as responding to crises like mass market or provider failure or terrorist incidents.
The new landscape of industrialised cyber threat, however, poses a new challenge. Whilst there is much good practice to take note of, it won’t be good enough to simply have the basic technologies in place to try to prevent an attack, and to leave this to the IT team to manage. A modern organisation will need to embed awareness of cyber security across the organisation, to ensure all staff understand basic cyber hygiene and know to spot the risks. And there will need to be preparedness, across the organisation, to respond and to recover from a major cyber incident when it occurs.
Does the organisation know how to cope without access to its IT systems? Without being able to communicate by email? And do colleagues know how to minimise the damage of an attack, and which systems to restore first? Are files and systems routinely backed up and tested?
Cyber preparedness goes beyond good practice around data handling and sharing. The changes brought by the age of GDPR are important and timely, but they are not in themselves sufficient if an organisation is hit by a DDoS attack, or aggressive ransomware. The LGA has collected some case studies from councils who have already experienced such scenarios. A cyber incident can disrupt the running of essential services, as well as risking reputational damage for a council.
When even large scale, household name companies – like Amazon or Google – are experiencing attack, we know the threat is real.
Though no council was directly hit, the WannaCry attack which affected NHS systems in 2017, provided a stark illustration of the kind of impact a major cyber incident can have on the public sector. The cost to the public purse is estimated at £92m. Hundreds of patients’ lives were affected.
As a sector, those with criminal or hostile intent will continue to try to breach our security to steal the data we hold and/or damage our systems. The ability and complexity of attacks is increasing, and therefore so too are the measures we must take to remain resilient against them. This threat cannot be eliminated completely, but the risk can be greatly reduced to a level that allows us to continue to benefit from the huge opportunities that digital technology offers to public services. Mature cyber resilience can be a business enabler not a blocker.
It is this context that, funded by the National Cyber Security Programme, the LGA has launched a programme of support for councils in England; working to improve the cyber resilience of our sector. As a first phase, we took stock of what councils were already doing in terms of their cyber security, and are now using this information to plan a programme of support for the sector, including an opportunity for councils to bid for funding or peer support, both individually and in partnership, to improve their cyber resilience.
This programme provides a real opportunity to work with the sector to ensure the council of the future is ready and resilient