2018 hasn’t been a good year for local authorities in terms of cybersecurity after reports highlighted that they are unprepared to deal with cyber attacks and that many continue to use out of date and vulnerable software.
Numerous data breaches also made the headlines raising concerns that local councils are falling behind when it comes to implementing effective cybersecurity.
According to Big Brother Watch’s Cyber-attacks on local authorities report there were 98 million cyber-attacks aimed at local authorities over the last 5 years. Meaning that there are at least 37 attempted breaches of UK local authorities every minute. In addition, at least 1 in 4 councils experienced a cybersecurity incident – that is, an actual security breach - between 2013 – 2017.
A combination of budgetary constraints and the inability to attract and retain cyber talent play a part in why local authorities are being successfully attacked, however, the lack of leadership when it comes to implementing the basics plays a far greater role.
According to GCHQ studies, 80-90% of economic loss due to cybercrime is a result of organisations neglecting basic best practice. Statistics show that far too many councils are not giving employees basic awareness training on the threats they face.
What's more, while these council data breaches aren't necessarily about any significant financial gain for cybercriminals, they do highlight the important question of just how secure all levels of government are; the entire ecosystem, from central departments to local council.
Basic best practice
We know how hard it can be when dealing with a threat that's always growing and evolving, but councils have had plenty of warning when it comes to the cyber risks they face. However, it needn't be difficult to take effective steps to counter the threat, and security shouldn't have to cost the earth to implement.
We urgently need a shift in mindset when it comes to security. Organisations need to stop wondering if a cyber incident will happen to them, and acknowledge instead that it's actually a case of when it will happen. Robust training can address the most common weak point for many organisations, their employees' knowledge of cyber, but common sense is our biggest ally
when it comes to cybersecurity. Doing the absolute basics – even if we do nothing else – will deliver tangible benefits.
Every council trains its employees in health and safety procedures, but very few provide training in basic cybersecurity. According to the report from Big Brother Watch, while three-quarters of councils do offer training but it's not mandatory.
The challenge involved in changing people's attitudes towards cyber security is a big one. It hasn't helped that, for many years, some areas of the cybersecurity industry have made it out to be a dark art full of mysticism. Perceiving cybersecurity as a scary and dark art, most people will try to avoid it as they don't believe that they can do anything to change the situation.
In reality, we need to remember that hacking has become easier than ever thanks to the release of mass-produced exploitation kits that are readily available to anyone with a Tor browser, access to the Dark Web and some bitcoins. But as with most criminals, hackers prefer easy targets. The chances are high that if you have some basic security software installed and have kept your machine up to date with the latest patches, a hacker will pass you by as they seek out easier prey. The same rules apply online as well as offline.
As the guardians of our services, defences and the prosperity of our nation, governments need to be taking basic security far more seriously. It's not hard, or necessarily expensive; it just needs doing. Make yourself an easy target, and you will become a victim.