Local authorities face an average of 19.5 million cyber attacks a year, according to an investigation by privacy campaign organisation Big Brother Watch
This equates to 37 cyber attacks or attempted breaches every minute on organisations that are accumulating growing troves of sensitive and personal information about citizens.
The report reveals an “overwhelming failure” by councils to report losses and breaches of data, as well as shortcomings in staff training in the past five years.
In that period, 114 councils experienced at least one breach and 25 suffered a loss of data, but more than half of these incidents went unreported.
Although human error is the main factor in making a cyber attack successful, the investigation found that three out of local authorities do not provide mandatory cyber security training to staff and 16% do not provide any cyber security training at all.
These findings raise concerns about the ability and commitment of local authorities to fend off cyber attacks, the report said, despite the fact that councils are collecting more personal information about citizens than ever, making them a growing target for cyber attacks.
“With councils hit by over 19 million cyber attacks every year, one would assume that they would be doing their utmost to protect citizens’ sensitive information,” said Jennifer Krueckeberg, lead researcher at Big Brother Watch.
“We are shocked to discover that the majority of councils’ data breaches go unreported and that staff often lack basic training in cyber security. Local authorities need to take urgent action and make sure they fulfil their responsibilities to protect citizens. ”
Pat Walshe, director of data protection consultancy Privacy Matters, said the report reveals inconsistent approaches to safeguarding personal and sensitive data held by local authorities. “It highlights the pressures faced by local authorities in a world of diminishing resources but increasing demands,” he said. “It will be important that local authorities receive appropriate support moving forward.”
Raj Samani, chief scientist and fellow at security firm McAfee, said one of the greatest concerns around the investigation’s findings is the previous lack of communication around these attacks.
“Unless made aware, potential victims – the citizens that they are serving – are unable to protect themselves, whether by changing passwords or more closely monitoring for instances of fraud,” he said.
However, Samani said there is nothing to be gained by pointing the finger at the IT and security teams. “Managing the growing and evolving threat against a backdrop of squeezed budgets, local authorities are having to make difficult choices about where their investments should be made,” he said.
“Unfortunately, few public sector organisations have the budget to invest in greater human resources to combat the growing cyber threat. Instead, IT and security teams are having to take more intelligent approaches to solving the problem.
“One way is through automating certain processes, removing simple repetitive activities that enable them to put their energy into planning their defences against the wider threat landscape.”
According to Rob Wilkinson, local government security specialist at internet security company Smoothwall, local councils are actually more at risk than any business because the authorities hold sensitive information on citizens that could be used by cyber criminals to profile victims.
“Regional administrations are also a relatively unsuspecting target for most employees and councillors and that is exactly why they represent a huge risk,” he said.
Paul Edon, director at Tripwire, said the truth of the matter is that many organisations, not just councils, remain unprepared for a cyber attack. “It’s difficult to prepare for something you don’t understand, can’t visualise, and haven’t experienced,” he said.
“You would have hoped that the devastation caused by NotPetya and WannaCry would have triggered an instant reaction for organisations to get their security in order. This isn’t the case.
“To get security right, organisations need to get the basics right. Start by understanding the risk you have. You must conduct regular, preferably continuous, assessments of configuration and vulnerability risk across your IT systems. Then ensure systems are regularly patched and upgraded.
“Following these basic security hygiene rules will go a long way to making your systems secure and the attackers’ job more difficult.”
Low levels of security training
Commenting on the low levels of security training for staff, Erik Westhovens, architect and evangelist, digital workspace at Insight UK, said the key to effective cyber security is to understand that vulnerabilities do not solely originate with technology, but with people.
“This is true for both the private and public sector,” he said. “These new findings from Big Brother Watch come at a very opportune time, revealing that three-quarters of councils did not provide mandatory cyber security training draws attention to the problem, which bring us one step closer to better cyber security countrywide.
“As employees are on the front line of the cyber security war, more often than not, a breach in security can be down to the behaviour of one individual. Therefore every single person across an organisation is responsible for its security and integrity.”
However, Westhovens said this expectation can be met only if businesses give employees the appropriate training and tools. “To encourage proactivity, organisations should establish workshops to discuss how they manage and secure their data, what their environment consists of and how they are thinking about cyber security within their practice area,” he said.
“There is an understandable urgency to solve this problem, and organisations need to look beyond the IT department to establish good cyber security awareness and practices. Training employees must be paired with investment in new technologies such as analytics or artificial intelligence. It is only by pairing such tools with strong, all-encompassing training programmes that organisations can best safeguard themselves and their customers from the many threats of today.”
Jonathan Young, CIO of FDM Group, said that as cyber attacks against all businesses, including local authorities, continue to grow in both volume and sophistication, it is critical that business leaders and council leaders invest in the necessary training.
“For councils in particular, this is very important as the data they hold will be impacted by the EU’s General Data Protection Regulation (GDPR),” he said, adding that preventing and responding to attempted attacks requires all members of staff to have high standards of digital proficiency and the necessary cyber skills to correctly store and protect public data.
“Therefore it is vital that all councils take a proactive approach to information security, re-skilling workers and hiring new talent that is properly prepared to respond to the continued threat of data breaches,” he said.