The work of councils has never been so vital to the most vulnerable in our society, and the digital communications and services that they use have never been so critical to our efforts. From video conferencing and new data sharing, to the digitisation of public meetings, the local government’s response to COVID-19 has demanded continuous and accelerated digital innovation.
But despite the crisis, cyber threats have not gone away, and many criminals are using the current situation as an opportunity to extort ransoms. When combined with the increase in vulnerabilities brought by distance working, new partnerships, and our increased reliance on digital services, this means that the risk associated with a cyber incident is greater than ever.
In 2017, the NHS WannaCry attack alerted the public to the impact of ransomware. Since then we have seen incidents cause significant organisational disruption and severe reputational and financial damage across different sectors. Local government has not been immune to this. Last year we saw two councils falling victim to ransomware, with one small borough council reporting a financial impact of over £10m.
Until recently, ransomware techniques focused on organisations’ ability to access information by locking users away from their data. However, more recently attackers have extended this to threatening to post stolen data online. This heightens risk around data protection, safeguarding and reputation and comes with the additional financial burden of potential fines from the Information Commissioner's Office.
Preventing ransomware from getting onto systems is vital. Phishing emails are a common access point for ransomware attacks. The government’s Cyber Security and Data Breach Survey 2020 reported that almost 86% of cyber attacks are phishing attacks, with staff receiving suspicious emails and being directed to malicious websites. If an unwitting member of staff were to click on that link, attackers are provided with a gateway to a council’s systems and the wealth of sensitive data and essential services contained within them. This demonstrates the importance of staff awareness and promoting good cyber secure behaviour.
The National Cyber Security Centre has produced detailed guidance to help organisations to mitigate malware and ransomware attacks. The mitigation activities fall into two solutions: preventing compromise, and reducing the impact of an attack when it does happen.
Mitigation – the people, processes and technology
It is important to recognise that there is no such thing as being 100% cybersecure, therefore security is as much about preparedness as it is protection.
It is also common for cybersecurity to be viewed as a technological issue that it is only in the domain of IT teams. This is not the case. An effective security strategy will focus on the three pillars of information management: people, processes and technology. Good cybersecurity is about:
- People understanding their role when it comes to cybersecurity. Training, skills and resources are needed to help raise awareness.
- The processes that deliver the strategy itself. These should be in line with organisations' wider approach to governance and risk and should be tested, scrutinised and continually improved.
- And having the technology in place to prevent or reduce the impact of cyber risks.
Managing cyber risk
Like every member of our workforce, accountants need to understand the risk they pose as individuals but in addition to this the accounting profession has an important role in understanding financial risk and ensuring that this is considered across the organisation.
There has never been a more urgent need to understand and manage cyber risks. In doing so, we are more likely to protect key services, and be able to respond and recover more quickly when an incident occurs.
Ten years ago, cybersecurity was a niche technical topic. Today it is something that every senior manager and leader in local government needs to understand. The reason for that is that the last decade was the first since the Second World War that civil institutions in the UK came under regular attack from foreign actors.
That’s a remarkable change in the context within which our 1.4-million-person workforce is operating. To mitigate the cyber security risks that come from this brave new world, local government must – like everyone else in the public sector – ensure that cybersecurity becomes a whole workforce issue. The LGA remains committed to being part of that effort.
The National Cyber Security Centre guidance: mitigating malware and ransomware attacks
Company reform and economic crime
The Economic Crime Act 2022 became law in March and part two of the bill is incoming. From risks to required changes, we explore key considerations for accountants on the issue.