The very fabric that stitches our society together — our councils and local governing bodies — is under a silent siege from cyber attacks. The recent ransomware assault on Leicester Council is another real life cybercrime added to a growing list of attacks in the UK.
Redcar and Cleveland, Hackney, and the simultaneous cyber onslaught suffered by Canterbury, Dover, and Thanet Councils in Kent, to Gloucester City Council's stark warning of personal data potentially stolen and services disrupted should serve as a wake-up call to councils and local governing bodies to relook and improve their current cybersecurity measures as they are increasingly becoming sought after targets by cybercriminals.
The grave reality is that these types of attacks are not mere inconveniences, but have a huge impact on all kinds of essential services like housing, disability support payments, child protection services and so much more. It can take days, weeks and even months in some instances to get systems back up and running and secure, after attacks, causing harm and creating chaos in communities, and in many cases having long lasting implications for its victims.
Hospitals, just like councils and local governing bodies, have become prime targets for cybercriminals because of the vast amounts of sensitive personal information it keeps in its systems. These institutions are some of the most important in any community, providing vital services to individuals, yet they are underfunded and operate with limited, and often undertrained, cybersecurity resources.
It then comes at no surprise that they are popular targets for cybercriminals as most hospitals, councils and local governing bodies lack in cybersecurity expertise and infrastructure, leaving it vulnerable to attacks which have the potential of severe and devastating impact.
NCSC recently warned council chiefs that their email accounts, phones and computers will ‘almost certainly’ be targets for ‘cyber espionage operations’ before local and national elections. At the same time, TechnologyOne published findings from a survey conducted with more than 500 local authority senior managers and 2,000 residents in the UK, casting a revealing light on the dissonance between public perception and the stark realities faced by councils.
So, what path lies ahead for our councils? Battling against cyber attacks is no easy feat, even large and well-funded organisations struggle to keep attackers at bay. While more budget and investment into technology is always needed, it’s not always forthcoming.
But if we look at it from the perspective of the attacker, we can make smarter decisions in how to better protect organisations. Social engineering, in particular phishing attacks are the most common way through which organisations are breached and ransomware is spread. So, focussing on protecting employees from social engineering attacks can be one of the most effective ways to reduce the overall risk, and at considerably less cost than upgrading all IT systems.
Security awareness and training goes a long way, and in doing so, organisations don’t just begin to change the behaviours of individuals, but collectively build a strong cybersecurity culture which makes the entire workforce be a part of the solution.
But building a strong security culture isn’t something that happens overnight. It needs consistent effort. Just as a single workout session produces minimal outcomes, occasional security awareness programs will not lead to lasting change. It is through persistent effort, and the nurturing of a shared responsibility that councils can create a framework of resilience.
In the fight against cyberattacks, it's becoming increasingly clear that cybersecurity is not only a technical challenge but also a cultural one which requires everyone to work together. By cultivating a strong security culture, through engaging and relevant training, all organisations can strengthen their human firewall and mitigate its internal human risk.
In this cyber arena, success depends not on a handful of individuals, but on the combined efforts of every employee, from the frontline staff to the senior leadership. By cultivating a culture where cybersecurity is not just a requirement, but a shared belief, local governing bodies can transform their image from that of being an easy target in the eyes of criminals.