An FOI analysis has revealed a major problem with cybersecurity breaches across UK councils plagued by a lack of funding and security.
Managed security services firm Redscan’s latest report, Disjointed and under-resourced: Cybersecurity across UK councils, analysed data collected in the FOI responses from more than 200 councils in England, Scotland, Wales and Northern Ireland.
The data suggests that as well as councils struggling to deal with services disruptions due to cyberattacks, they are also woefully under-prepared for current and future security challenges.
Councils play an important role in ensuring access to vital services, meaning they hold and process vast quantities of data, a prime target for malicious actors. Over the last 12 months, there have been numerous reports of data breaches at UK local authorities.
The Redscan report also highlights a lack of spending on security training, with only around 50% of all UK councils admitting that their staff have received cybersecurity training last year. Additionally, 45% of councils employ no professionals with recognised security qualifications.
Commenting on the data, Redscan CTO Mark Nicholls said: “There is significant room for councils to improve their readiness to tackle current cyber risks, as well as those that will emerge in the future as cities become smarter and more connected.
“Every council has thousands of citizens depending on its services daily. Going offline due to a cyberattack can deny people access to critical services. To minimise the impact of data breaches, it is important that councils are constantly prepared to prevent, detect and respond to attacks. While our findings show that councils are taking some steps to achieve this, approaches vary widely and, in many cases, are not enough.
“Our analysis reveals some pretty shocking failings, such as 29 data breaches reported to the ICO by one council in a single year. The fact that approximately half of all council employees across the UK did not receive security training in 2020 is also concerning,” Nicholls added.
- Cloud First 2021 | Unlocking the next wave of growth
- What are the wider implications of ransomware payments?
- Misplaced tech devices could be putting UK gov data at risk
Councils in the UK are beginning to adopt digital technologies across many of their systems in an attempt to update during rapid technological changes, such as Edinburgh council’s announcement that it would be extending a deal with global ICT provider CGI to help “realise the city’s digital ambitions”. However, lack of training and security practices has left them wide open to possible beaches.
There were many examples of councils being hit by major cyberattacks last year, stealing private data and knocking out vital systems. In February, Teesside council suffered a malware attack that knocked out its systems, potentially delaying offers of school places to children and putting public data at risk.
Additionally, Hackney council was hit by a major breach in October 2020. The attack disrupted services, as well as hackers stealing private data about citizens. The data was subsequently published online, likely on dark web forums, a popular tactic among cybercriminals and hackers.