Local councils are becoming increasingly vulnerable targets for cybercriminals. Like most sectors, councils and public sector organisations are increasing digitalisation efforts to help drive efficiency and improve the delivery of essential services. And while digital transformation brings key benefits, it also widens the attack surface, leaving local councils more at risk of data breaches.
The impact of a cyberattack can be severe, as evidenced by the attack on Gloucester Council. Breached in December 2021, the council suffered long-lasting disruption, with systems still not fully operational for months, and Gloucester’s museum still unable to access its artefact database in March 2023. While the threat landscape continues to threaten public sector bodies, the good news is that improving cybersecurity doesn’t need to be costly or complex, and there are various measures local councils can take to proactively protect themselves.
IT health checks: more than tick-box exercise
When it comes to mitigating against attacks and bolstering cyber resiliency, it’s key for local councils to go beyond minimum requirements where possible. As essential public bodies, councils are legally required by the National Cyber Security Centre (NCSC) to evidence their cybersecurity posture through a regular IT Health Check (ITHC). Reviewing and providing assurance over the security of external and internal systems, ITHCs form a crucial part of local councils’ cybersecurity strategies. Yet, there is a tendency for them to be equated more with tick-box exercises than a valuable process for strengthening security.
It’s not uncommon for public sector bodies to lack in-house cybersecurity expertise, operating on increasingly tight budgets. As a result, it’s understandable that councils find it challenging to allocate the necessary time and resources to engage with the ITHC beyond the minimum requirements. However, there are a number of ways local councils can improve their cyber resiliency and achieve more holistic protection against what has been a reported 10,000 attempted cyberattacks every day.
In the case of Wiltshire Council, exceeding the NCSC guidelines and improving on ITHC results from previous years was a key aim. To achieve this, the council engaged with a new testing partner affiliated with the CHECK scheme, choosing to work with an experienced third party that was well-positioned to identify areas to include in the ITHC that go beyond what’s legally required. Internal and external testing was carried out to evaluate the council’s cybersecurity posture and uncover any unknown security gaps. Close collaboration between Wiltshire Council and its security partner meant the team were kept abreast of what was being actioned at each stage of the ITHC, ensuring clear communication on next steps and receiving detailed reporting to highlight any weaknesses identified.
Following its bolstered ITHC, Wiltshire Council received approval from the Cabinet Office with no issues or checks needed. The council’s IT team was able to act proactively, setting out a remediation plan to address security gaps identified, while the council itself gained a deeper understanding of its risk exposure after receiving a detailed report.
Cybersecurity best practice: proactively deepening defences
Building on the strong foundation of a bolstered ITHC, there are various proactive cybersecurity best practice measures local councils can implement to strengthen their cyber resiliency.
If you liked this content…
First, carrying out measures like penetration testing and vulnerability scanning helps to uncover areas open to exploitation by bad actors, enabling councils and their IT and security teams to take proactive steps to remediate gaps in their cybersecurity posture. Conducting cyber risk assessments throughout the year is also an important addition, as an ITHC will only provide a point-in-time snapshot of cyber resilience. Cybercriminals don’t take days or weeks off, so it’s vital cybersecurity is treated as a year-round exercise.
One threat vector UK councils should be particularly wary of is phishing emails. A recent study found that phishing attacks pose the biggest threat to local councils, with three in four experiencing these more than any other type of attack as hackers look to exploit human vulnerabilities. It’s therefore crucial that councils take proactive steps to promoting a ‘security-first’ mindset across their organisations, ensuring all staff are provided with regular security awareness training and phishing simulations. In doing so, employees are better supported in keeping cybersecurity front-of-mind in their daily work, thereby reducing the likelihood of clicking on malicious phishing links.
A look to the future
As cybercriminals become more sophisticated and organised, the threat landscape is only becoming more dangerous. For vital public bodies like local councils, it’s essential that proactive steps are taken to go beyond the minimum legal requirements. Following the example set by Wiltshire Council, there are easy ways for local councils to avoid treating cybersecurity like a tick-box exercise, go beyond the basics and engage with cybersecurity best practice as part of day-to-day business.
For local councils working with tight budgets, engaging with a trusted security partner can help support internal IT and security teams and ensure return-on-investment. But to really ensure full cybersecurity protection 24/7/365, councils should also consider a Security Operations Centre (SOC). Collaborating further with a security partner and outsourcing a SOC means local councils can benefit from the aggregate value of experienced cyber professionals with wide and varied threat intelligence from across the entire threat landscape.
Check out the upcoming THINK Cybersecurity for Government 2023 event