Councils cannot afford to be cyber complacent

Businesses and organisations are at an increasing risk of cyber attacks and councils are among these potential targets, says Paul Bettison, chairman of the Local Government Association’s Improvement and Innovation Board

In a rapidly developing digital world, cyber security is now a vital priority for the public and private sector. The consequences of a crippling cyber attack can be devastating, both in terms of freezing computer systems indefinitely, but also for jeopardising the security of personal data.

A cyber attack can involve criminals hacking into IT systems illegally and demanding ransoms in return for the services to be restored, even though there is no guarantee that this will happen. One of the worst and most publicised incidents took place in May this year when global ransomware attack Wannacry affected more than 200,000 organisations in 150 countries, including the UK, where it hit 47 NHS trusts, leading to operations being cancelled and patients turned away from A&E.

This clearly demonstrates the potency, far-reaching damage, disruption and huge cost that cyber attacks can cause, and why it is vital that councils do not expose themselves inadvertently to any cyber threat. Protecting the personal data of residents, business customers and partner organisations from computer hackers is a top priority for councils which have robust cyber security measures in place, including firewalls and scanning services.

Councils carry out cyber resilience exercises and penetration tests on their computer systems, and staff are trained to be aware of digital threats and how to deal with them to safeguard data and ensure IT systems – and public services - are not compromised. Local authorities also work with public sector partners through Warning Advice and Reporting Points and Local Resilience Forums to protect their systems from, and put in place plans to respond to, cyber attacks.

However, councils cannot afford to be complacent as cyber attacks are predicted to continue increasing in both frequency and capability. Industry figures show that cyber attacks on UK businesses have increased by more than 50 per cent between the first and second quarter of this year alone. This equates to nearly 65,000 attacks – more than 700 every day - per business, which reflects the magnitude of the threat.

Like any safeguarding measures, cyber defence systems need to be reviewed, updated and strengthened regularly to protect confidential data, particularly when councils are now making more local public services available digitally across a range of online platforms and are getting more of their workforce online. Local government is planning greater collaboration work with national partner organisations - such as the integration of health and social care, children’s services and welfare reform programmes – meaning councils need to share more sensitive and personal information with organisations including hospitals, GPs, care homes, schools, academies, police and probationary services.

These trends, which aims to make public service more cost efficient to deliver, mean that cyber security arrangements are paramount. This is why the LGA is leading on a bid to the Cabinet Office for funding for councils to build the sector’s incident management capabilities to respond to cyber attacks. This will require new funding to develop the skills and capacity of councils, and the agencies leading on responses, including the Local Resilience Forums and the Warning Advice and Reporting Points, to have the resources and necessary arrangements in place to work more effectively with local partner organisations.

The LGA agrees with the government’s vision of the UK in 2021 as secure and resilient to cyber threats, prosperous and confident in the digital world, as set out in its National Cyber Security Strategy. Investing in cyber security must be seen as an economic opportunity and we urge government to give funding to councils to build capacity to respond to the growing threat of cyber attacks and ensure the safeguarding of personal data is as strong as possible.