Jaqueline is an Exposure Management Professional specializing in Cyber. As part of the Certified Cyber Insurance Specialist (CCIS) course, she completed a complex assignment on cyber risk for local governments in the UK.
Local authorities are responsible for a range of vital services for people and businesses in defined areas. This includes social care, schools, housing, planning, waste collection, licensing, business support, registrar services, and pest control. However, due to the wide range of services provided and funded by local authorities, a lot of potentially sensitive data is held by them.
Cybersecurity Challenges Faced by Local Authorities
Due to the range of services provided and funded by local authorities a wide range of data, much of which may be sensitive, is held by local authorities. The authorities may hold, amongst other things, information including your address, email, benefits information, medical information (for social care) and details of criminal records (e.g., where DBS checks have been carried out).
Outdated Software and Processes
As well as holding a lot of potentially sensitive data, local authorities are also viewed as “low hanging fruit” for criminals with outdated software and processes, and cyber security neither a priority nor properly funded.
According to Reform, a Westminster think tank for public service reform, “The public sector has faced some challenges in developing greater cyber resilience. Legacy infrastructure is problematic because it can contain vulnerabilities if not maintained properly. A lack of cyber skills both at the “high-end,” such as security architecture, and the “low-end,” enforcing “cyber-hygiene” principles, inhibits progress on cyber resilience.”
Differences in Cybersecurity Budgets
A 2022 ITV News investigation found huge differences between the amounts councils spent on cyber security, from £32,000 a year at one council, to nearly 30 times more at another council with a £1 million budget. The investigation also found hundreds of potential website vulnerabilities and the email addresses and passwords of staff at one council posted in full online.
Boost your career
Boost your salary
Stay Relevant with the Global Standard in accredited Cyber Insurance Certification.
Lack of Awareness and Training Heightens Cyber Risk For Local Governments in the UK
2020 research by Clearswift found that out of 1,000 public sector employees “almost half of respondents (47%) have either not heard of, or do not know what ransomware is, with 42% not having heard of, or what two-factor authentication (2FA) is. This lack of cybersecurity awareness is compounded by a lack of training – 77% of respondents have been given no instruction in how to recognize ransomware, while 16% have had no cybersecurity training whatsoever and 13% just once.”
No Dedicated Cybersecurity Expert
Furthermore, the research found 68% of employees said that there is no dedicated cybersecurity expert in their organization and only 12% had communicated with a cybersecurity expert in the prior six months.
Most organizations lack a dedicated cybersecurity expert to help reduce cyber risk. In fact, 68% of public sector employees said that there is no dedicated cybersecurity expert in their organization.
Increase in Cyber Attacks
In a report dated end of August 2022 based on Freedom of Information requests to local authorities, the insurance broker Gallagher reported that authorities had faced 10,000 attacks each day so far in 2022. Based on consecutive Freedom of Information requests sent in 2021 and 2022 to councils, Gallagher also observed a 14% rise in the number of cyber attacks year-on-year. Since only around 20% of councils responded the true numbers may be higher.
Common Types of Attacks
Phishing is the most common attack faced by councils, with 75% of councils categorizing it as the top attack vector. This is followed by DDoS attacks. As a result of the increasing threat, nearly half of councils reported they had employed external experts to help them reduce their cyber risk. 85% had increased their cyber security to help with a growing number of attacks but just 23% had purchased a cyber insurance policy.
“75% of councils categorized phishing as the top attack vector”
Local authorities may be the target of many different types of attack, for example, hacktivism, DDoS attacks or ransomware. One of the biggest threats to the industry is ransomware. Research by Barracuda in 2022 shows that municipalities (local authorities) are one of the largest sectors in terms of ransomware attacks. The research also corroborates the increasing number of attacks to the sector.
The increase in attacks is observed worldwide. Australia and other countries also saw raised levels of attacks against local authorities. In the US, local authorities are also seen as soft targets which have suffered from successful cyber-attacks and had a lack of sound IT practices. Research in the US showed that “revealed that nearly one-third of U.S. local governments would be unable to tell if they were under attack in cyberspace.” and “almost half of U.S. local governments reported that their IT policies and procedures were not in line with industry best practices.”
“Nearly one-third of U.S. local governments would be unable to tell if they were under attack in cyberspace”
The COVID-19 pandemic has accelerated the digital transformation of workplaces, with many employees now able to work remotely. However, this shift to hybrid working also has introduced additional cyber risks as the technology used for remote work may have vulnerabilities. Meanwhile, local authorities are rapidly moving their public services online, increasing the potential for malicious attacks and accidental breaches.
The UK Government has recognized the need to strengthen the security and resilience of public services and has launched the Government Cyber Security Strategy 2022-2030. With around 40% of cyber incidents targeting the public sector, the strategy will be backed by a £37.8 million investment to help local authorities improve their cyber resilience and safeguard essential services such as housing benefit, voter registration, electoral management, school grants, and social care. The recent high-profile cyber attacks on local authorities highlight the urgent need for stronger defenses.
Internal Threat and Third-Party Cyber Risk For Local Governments in the UK
The 2022 Verizon Data Breach Investigations Report shows that 82% of breaches involved human error. Accidental insider threats are common in local authorities, with employees often failing to use the BCC function when delivering mass emails, which leads to the exposure of private email addresses. Zivver’s research in 2022 found that 62% of employees have made ‘email errors’ in the last two years, despite 76% of IT leaders thinking that data security training alone will reduce email security risk, but most employees either don’t use the training they’ve had, or haven’t received any to begin with.
To combat such threats, the Government Cyber Security Strategy 2022-2030 calls for improved cybersecurity awareness and knowledge across all public sector workers, as well as the need to focus on people as well as technology. Additionally, local authorities are advised to be aware of supply chain risks and to seek training on the subject.
In addition to internal threats, there is a risk to local authorities from third-party sources, which can also cause cyber incidents. The National Cyber Security Centre (NCSC) provides advice on supply chain risk, and the Local Government Association offers free training on the subject. As such, it is important for local authorities to remain vigilant about potential risks posed by third-party vendors and take steps to mitigate these risks.
Case Study: Cyber Risk For Local Governments in the UK
In October 2020, Hackney Council, responsible for around a quarter of a million people, was attacked by the Psya ransomware gang during the COVID-19 pandemic and lockdown restrictions. The council’s priority was on business continuity and fulfilling key services like benefit payments and salaries to staff. However, the attack had a long-lived impact, with some core council services not functioning properly for at least a year, including housing benefit payments and social care services.
The recovery process consisted of two main stages: the initial emergency and the second stage, the actual recovery of systems and services. In common with other ransomware attacks, the recovery from an attack can speed up an entity’s digital modernization program e.g. in Hackney by accelerating a move of data to the cloud.
Recovering systems for a local authority is complicated because human impact takes priority over technical needs. For instance, Hackney continued to pay benefits that were in place at the time of the attack, even though new claimants weren’t as lucky. As a result of the attack, people’s health, housing situations, and finances suffered, and some vulnerable individuals could not access the support they needed. Furthermore, council staff was required to protect vulnerable people without access to notes or case files, leading to increased workloads and stress, and burnout for some employees.
The ransomware attack against Hackney reportedly cost at least £12m. The council has refused to comment on the technical aspects of the incident, citing ongoing investigations from the UK’s National Crime Agency and the data regulator, the Information Commissioner’s Office (ICO), which could potentially fine the organization. Hackney has never paid a ransom and never will, and it stated that “the vast majority of the sensitive or personal information held by the council is unaffected.“
In conclusion, the vulnerability of local authorities to cyber attacks cannot be overstated, and it is crucial that they prioritize spending on cyber defense and provide adequate training for their staff to reduce internal risk. While this is a challenging task, collaboration between central and local government, insurers, and other stakeholders can help mitigate the risks and provide necessary insurance coverage to protect taxpayers from potential financial losses. By taking proactive steps to address these issues, local authorities can ensure the security of their data and safeguard the essential public services they provide.
Cyber Insurance Academy?
We are the global standard for accredited cyber insurance certification, with +4,000 Members from +40 countries.