Privacy group, Big Brother Watch, has this morning revealed that local authorities faced 19 million cyber attacks a year (or 98 million between 2013 and 2017), with more than 25% of UK councils having had their computer systems breached in the past five years.
The report was based on freedom of information requests, which found that 114 out of 395 councils experienced at least one incident between 2013 and 2017, with 25 reporting a data breach as a result.
The majority of successful cyber attacks, according to the report, originated with phishing emails.
The privacy group said it was “shocked” that council staff often lacked cyber training. However, the Local Government Association said its councils took their privacy responsibilities “extremely seriously”.
“As cyber attacks against all businesses including local authorities continue to grow in both volume and sophistication, it’s critical that business leaders and council leaders alike invest in the necessary training to ensure staff are fully prepared to deal with these threats,” said Jonathan Young, chief information officer at FDM Group.
For councils in particular, he said that this is very important as the data which they hold will be impacted by GDPR.
“Preventing and responding to attempted hacks requires all members of staff to have high standards of digital proficiency and the necessary cyber skills to correctly store and protect public data. Therefore it’s vital that all councils take a proactive approach to information security, re-skilling workers and hiring new talent that is properly prepared to respond to the continued threat of data breaches.”
Cyber security training
Big Brother Watch said that council employees – as is the case across businesses – represented the weakest link in the cyber security chain. This risk, however, can be mitigated by introducing cyber security training to council employees.
Currently, the report revealed that 75% of councils did not provide mandatory cyber security training, and 16% did not provide any.
Jennifer Krueckeberg, lead researcher at Big Brother Watch, said: “One would assume that they [councils] would be doing their utmost to protect citizens’ sensitive information.”
“Local authorities need to take urgent action and make sure they fulfil their responsibilities to protect citizens,” she added.
“One of the greatest concerns around today’s news that such a great number of council computer systems have been breached is the previous lack of communication around these attacks. Unless made aware, potential victims – the citizens that they’re serving – are unable to protect themselves, whether by changing passwords or more closely monitoring for instances of fraud.”
“That said, we will gain nothing by pointing the finger at the IT and security teams. Managing the growing and evolving against a background backdrop of squeezed budgets, local authorities are having to make difficult choices about where their investments should be made.
“Unfortunately, few public sector organisations have the budget to invest in greater human resources to combat the growing cyber threat. Instead, IT and security teams are having to take more intelligent approaches to solving the problem. One way is through automating certain processes, removing simple repetitive activities that enable them to put their energy into planning their defences against the wider threat landscape.”
More at risk than any business
Local councils are actually more at risk than any business, school or bank because these authorities also hold sensitive information on citizens that could be used to build up a ‘profile’, according to Rob Wilkinson, local government security specialist at internet security company Smoothwall.
“An attack on a local government might not seem like a Hollywood-esque script that would make the front pages, but when you consider that over 25% of all local governments have had their systems breached in the last five years, you begin to see some of the pressures and challenges local authorities face. These regional administrations are a relatively unsuspecting target for most employees and councillors and that is exactly why they represent a huge risk. Historically, threat actors might opt to hack a huge financial incentive from a bank or credit card data from a dating website – but local authorities also hold sensitive and personal information on individuals that hackers could ‘phish out’ to build up a profile of their victim for blackmail purposes.”
“The solution here is two-fold: aside from ensuring all local authorities have the latest web filtering and web security measures in place, councils need to ensure the mandatory cyber security training is actually undertaken and not let slip by the wayside. Just as cyber attacks should be a number one concern for the board of any business, they should equally be so for any government – local or national. Safeguarding data must be a priority for any business, authority or institution in 2018.”