No more reasons for cyber security vulnerabilities in councils

4 May 2021 01:36 PM

Guest blog: Peter Dewsbury, director at Arcus Global as part of our #DigitalPlace week.

Breaches of cyber security are a significant risk to every business and individual, but are increasingly affecting local government. Recovering from the February 2020 ransomware attack that reduced Redcar & Cleveland Council to using pen and paper for critical processes, was estimated to have cost over £10.5m – three times their 2019 central ICT budget. 

However, you no longer need to manage the majority of cyber security risks yourself – you can instead transfer much of it to the cloud.  You can also make it much simpler to secure, keeping the assets that you do retain (like hardware, office infrastructure and on-premise legacy solutions) by utilising tools to keep track of the security and compliance status of your entire estate, without having to employ a large security team of your own. With modern infrastructures, there’s no need to let an organisation suffer widespread cyber security disruptions.  

A new threat landscape 

Cyber security threats are nothing new, but they have come a long way from the playful efforts of researchers (notably the creeper programme back in 1971) to the willful destruction of the Melissa virus and, more recently, it has become a new frontier for military conflict and organised crime. 

Not only that but ransomware, encrypting and preventing access to victims’ digital content, is today increasingly proving a particularly effective method of extortion. As a side note, the UK NCSC has excellent guidance on how to deal with them. 

With the remote working commonplace in councils since the pandemic began, end-user devices such as laptops, phones and tablets are now at the forefront of your security defences. But keeping track of and securing these loosely-connected devices is a bigger challenge than ever. 

Straightforward actions to minimise and mitigate risk 

Here are the best ways for councils to minimise their risk: 

  1. Shrink your attack surface by maximising the proportion of your technology that is managed on ‘enterprise grade’ cloud computing platforms.Preferably Software-as-a-Service so you have less responsibility for security. 
  2. Control the rest by implementing tools and processes to give you visibility of the assets that you retain (including those managed by third parties) so you can address issues before they result in a cyber security breach. 

When employing cloud services it is crucial to understand what elements of security you are responsible for and how confident you should be in the service provider doing a good job of the elements they are responsible for. 

The challenge of securing multiple suppliers, data centres and clouds can sometimes seem insurmountably complex. However, modern approaches such as SaaS and IaaS provide a wealth of security data that you can leverage and ensure the basics are in place, while also demonstrating compliance to management, boards and auditors. 

In general, large scale SaaS providers will give you the greatest transfer of security responsibilities and shield you from most risk, but you will still need to think about issues like user authentication and access, how citizen data is protected and consider how to recover that data in the case of loss or damage due to human error. After all, sometimes the biggest threat comes from inside. 

Keeping on top of all your technology assets and understanding their respective level of cyber risk is complex and time consuming and difficult to achieve without the scale of network and security operations centres. There’s nothing to be gained from going it alone. 

Considering the above, there are some vital questions local authorities should ask themselves when assessing their cyber capabilities. 

  1. Have we done everything we can to minimise the attack surface available to cyber criminals?  
  2. Have we maximised our use of genuine SaaS to leave experts in charge of specialist security work?  
  3. For everything else, are we confident that we have the security basics in place such as antivirus, patching and device management?   
  4. Can we proactively identify issues with our cyber posture (such as uncontrolled or non-compliant devices), and is MI available for management oversight?  
  5. Are we confident that we could pass an audit, or will we not know until one is started? 

Once these things are thought about and actioned, there’s no reason why a local authority should become particularly vulnerable to cyber attacks. The threat landscape has changed over the years, but adapting and employing the right solutions to tackle it is key. No council wants to compromise precious citizen data, and with the right foundations in place, no council will.