In recent years, councils across the UK have found themselves increasingly in the crosshairs of cybercriminals, writes Rick Goud, CIO and founder at the cyber product firm Zivver.
According to one study, councils were hit by more than 10,000 cyberattacks per day in 2022, with phishing the most common attack vector, accounting for roughly three-quarters (75pc) of all incidents. In a recent UK-wide survey, more than a quarter of councils said they’d made “no progress” on cybersecurity, and at least 59pc said their approach to cybersecurity was “outdated”.
Social engineering and email phishing scams, where fraudsters masquerade as legitimate contacts to extract sensitive information from employees, are becoming increasingly difficult for councils to detect. In part, that is due to a lack of employee awareness training and adequate phishing counter-measures, but it can also be attributed to the rise in generative AI and the increased sophistication of attacks. One such incident at Leicester City Council meant that its phone lines and IT systems had to be taken offline for days while it dealt with a major security breach. Sefton Council, in Liverpool, recently announced that it had seen a 50% increase in cyberattacks – most of them phishing related – as it fended off 30,000 attacks per month. Gloucester City Council was also targeted with an attack that affected benefit payments, planning applications, and electoral data. The estimated cost to taxpayers for the council to rebuild its servers stands at around £845,000.
These cyberthreats strike the very hearts of communities, pulling vital services offline and disrupting basic social functions. The Local Government Association (LGA) and even the likes of Microsoft have recognised the scale of the problem, carrying out thorough assessments to see how security standards can be improved and which preventative tools should be deployed.
Challenges facing councils
Local councils in the UK navigate a complex cybersecurity landscape, marked by the dual challenges of managing highly sensitive personal data and maintaining the unwavering trust of the public. The nature of their services requires access to and protection of extensive amounts of confidential information, from personal resident details to financial records, making them prime targets for cyber attacks.
Compounding these challenges are often outdated IT systems and constrained budgets dedicated to cybersecurity efforts. One publication refers to UK councils being stuck in an “IT time warp”, grappling with legacy architecture or even paper-based systems to deal with citizen requests. Many local authorities find themselves wrestling with the need to modernise their digital infrastructure while simultaneously guarding against an ever-evolving array of cyber threats. This delicate balancing act underscores the pressing need for strategic investments in cybersecurity measures that can effectively protect against both current and future risks.
Human element of cyber
The human element remains a critical vulnerability in cybersecurity, often cited as the weakest link in even the most robust security frameworks. According to a recent survey of security decision makers conducted by Insight Avenue and Zivver, human error was identified as the number one concern in terms of outbound threats for 74pc of respondents.
While it is never the fault of the person targeted, and the blame will always lie with the attacker, falling for phishing attacks is one of the primary causes of security breaches in UK councils. The mishandling of sensitive information via email and other channels is also a major security risk, exacerbated by outdated IT systems and a tendency to keep data siloed and decentralised.
Humans will always be fallible and prone to error, but there are ways to mitigate the risk of human mistakes and safeguard data. Effective communication on the importance of secure practices, alongside regular training on the latest cyber threats and safe data handling protocols, plays a pivotal role in enhancing an organisation’s overall cybersecurity posture. Beyond that, deploying technological solutions such as multi-factor authentication (MFA) to verify users, zero-key architecture which automatically encrypts sensitive emails so that they can only be read by their intended recipient, and advanced phishing filters, can all make a difference to the level of risk employees are exposed to.
Lessons learned
The Leicester City Council incident underscores the critical importance of rapid response and effective communication following a cybersecurity breach. The council’s decision to shut down IT systems to contain the threat serves as a case study in taking decisive action to mitigate further risk. Their collaboration with cybersecurity, law enforcement, and other councils highlights the value of shared knowledge and resources in responding to cyber incidents.
Adopting basic yet effective cybersecurity measures can significantly bolster the defences of local councils against cyber threats. Regular software updates, the implementation of multi-factor authentication, and the utilisation of encrypted communications are foundational steps that can prevent unauthorised access and secure sensitive data. These practices, along with a proactive approach to cybersecurity, ensure that councils are not only protecting their current systems but are also laying the groundwork for a more secure and resilient digital infrastructure.
