No more reasons for cyber security vulnerabilities in councils
Guest blog: Peter Dewsbury, director at Arcus Global as part of our #DigitalPlace week.
Breaches of cyber security are a significant risk to every business and individual, but are increasingly affecting local government. Recovering from the February 2020 ransomware attack that reduced Redcar & Cleveland Council to using pen and paper for critical processes, was estimated to have cost over £10.5m – three times their 2019 central ICT budget.
However, you no longer need to manage the majority of cyber security risks yourself – you can instead transfer much of it to the cloud. You can also make it much simpler to secure, keeping the assets that you do retain (like hardware, office infrastructure and on-premise legacy solutions) by utilising tools to keep track of the security and compliance status of your entire estate, without having to employ a large security team of your own. With modern infrastructures, there’s no need to let an organisation suffer widespread cyber security disruptions.
A new threat landscape
Cyber security threats are nothing new, but they have come a long way from the playful efforts of researchers (notably the creeper programme back in 1971) to the willful destruction of the Melissa virus and, more recently, it has become a new frontier for military conflict and organised crime.
Not only that but ransomware, encrypting and preventing access to victims’ digital content, is today increasingly proving a particularly effective method of extortion. As a side note, the UK NCSC has excellent guidance on how to deal with them.
With the remote working commonplace in councils since the pandemic began, end-user devices such as laptops, phones and tablets are now at the forefront of your security defences. But keeping track of and securing these loosely-connected devices is a bigger challenge than ever.
Straightforward actions to minimise and mitigate risk
Here are the best ways for councils to minimise their risk:
- Shrink your attack surface by maximising the proportion of your technology that is managed on ‘enterprise grade’ cloud computing platforms.Preferably Software-as-a-Service so you have less responsibility for security.
- Control the rest by implementing tools and processes to give you visibility of the assets that you retain (including those managed by third parties) so you can address issues before they result in a cyber security breach.
When employing cloud services it is crucial to understand what elements of security you are responsible for and how confident you should be in the service provider doing a good job of the elements they are responsible for.
The challenge of securing multiple suppliers, data centres and clouds can sometimes seem insurmountably complex. However, modern approaches such as SaaS and IaaS provide a wealth of security data that you can leverage and ensure the basics are in place, while also demonstrating compliance to management, boards and auditors.
In general, large scale SaaS providers will give you the greatest transfer of security responsibilities and shield you from most risk, but you will still need to think about issues like user authentication and access, how citizen data is protected and consider how to recover that data in the case of loss or damage due to human error. After all, sometimes the biggest threat comes from inside.
Keeping on top of all your technology assets and understanding their respective level of cyber risk is complex and time consuming and difficult to achieve without the scale of network and security operations centres. There’s nothing to be gained from going it alone.
Considering the above, there are some vital questions local authorities should ask themselves when assessing their cyber capabilities.
- Have we done everything we can to minimise the attack surface available to cyber criminals?
- Have we maximised our use of genuine SaaS to leave experts in charge of specialist security work?
- For everything else, are we confident that we have the security basics in place such as antivirus, patching and device management?
- Can we proactively identify issues with our cyber posture (such as uncontrolled or non-compliant devices), and is MI available for management oversight?
- Are we confident that we could pass an audit, or will we not know until one is started?
Once these things are thought about and actioned, there’s no reason why a local authority should become particularly vulnerable to cyber attacks. The threat landscape has changed over the years, but adapting and employing the right solutions to tackle it is key. No council wants to compromise precious citizen data, and with the right foundations in place, no council will.
Latest News from
ACT - Action Counters Terrorism: Awareness E-Learning course03/08/2021 16:25:00
The security experts at Counter Terrorism Policing have launched a new vigilance campaign to encourage everyone to help the police tackle terrorism and save lives by reporting any concerns.
Unique Cyber Security Centre shortlisted for national award03/08/2021 11:25:00
The National Management Centre (NMC), which is the only nationally co-ordinated capability to protect UK Policing against cyber-attacks, has been shortlisted for a national Cloud Excellence Award.
Project Gigabit summer update: significant progress made by industry02/08/2021 16:25:00
A summer update to Project Gigabit was announced today, with DCMS outlining future investment and rollout plans for 26 counties including Yorkshire, Staffordshire and Kent.
UK Space Command officially launched02/08/2021 11:25:00
Space Command will protect UK interests and capabilities in Space.
Bryden Wood: A data-powered collaboration to encourage the adoption of active travel - by making cycling even better30/07/2021 16:25:00
A cyclist swerves. Why? A city planner starts to plot a new cycle route. Where? The majority of cyclists choose to turn left rather than go straight on. What for? A local authority wants to encourage the adoption of active travel and get more people to ride bikes. How?
The future of ethical data sharing: the role of data intermediaries30/07/2021 11:25:00
New report from the Centre for Data Ethics and Innovation explores the role of data intermediaries in the future of data sharing.
Leading experts urge applying the power of quantum technology to sustainability in new documentary29/07/2021 16:25:00
Quantum Computing Can Serve as a Multifaceted Tool to Help Scientists and Engineers Take on the Challenge of Ensuring a Sustainable Future, Say Industry Figures.
Seven questions to ask when selecting directors for an early-stage growth company29/07/2021 11:25:00
Founder & Managing Partner at Better Boards, Dr Sabine Dembkowski, shares insights into setting up a board and selecting directors in an early-stage growth company.