Guest Blog /

UK Local Government: No more excuses for cyber security failures in councils

Corix Partners guest blog banner

Breaches of cyber security are a significant risk to every business and individual, but are increasingly affecting local government. Recovering from the February 2020 ransomware attack that reduced Redcar & Cleveland Council to using pen and paper for critical processes, was estimated to have cost over £10.5m – three times their 2019 central ICT budget.

However, you no longer need to manage the majority of cyber security risks yourself – you can instead transfer much of it to the Cloud.  You can also make it much simpler to secure, keeping the assets that you do retain (e.g. laptops, mobile phones, office infrastructure and on-premise legacy solutions) by utilising tools to keep track of the security and compliance status of your entire estate without having to employ a large security team of your own. With modern infrastructures, there  are no more excuses for suffering widespread cyber security disruptions.

A new threat landscape

Cyber security threats are nothing new, but they have come a long way from the playful efforts of researchers (notably the creeper programme back in 1971) to the wilful destruction of the Melissa virus and, more recently, it has become a new frontier for military conflict and organised crime.

Not only that but ransomware, encrypting and preventing access to victims’ digital content, is today increasingly proving a particularly effective method of extortion. As a side note, the UK NCSC has excellent guidance on how to deal with them.

With the new working practices adopted throughout the COVID19 pandemic, increasingly end-user devices such as laptops, phones and tablets are at the forefront of your security defences, but keeping track of, and securing distributed loosely-connected devices is a bigger challenge than ever.

With the remote working commonplace in councils since the pandemic began, end-user devices such as laptops, phones and tablets are now at the forefront of your security defences. But keeping track of and securing these loosely-connected devices is a bigger challenge than ever.

Straightforward actions to minimise and mitigate risk

Here are the best ways for councils to minimise their risk:

  1. Shrink your attack surface by maximising the proportion of your technology that is managed on ‘enterprise grade’ cloud computing platforms. Preferably Software-as-a-Service so you have less responsibility for security.

  2. Control the rest by implementing tools and processes to give you visibility of the assets that you retain (including those managed by third parties) so you can address issues before they result in a cyber security breach.

When employing cloud services it is crucial to understand what elements of security you are responsible for and how confident you should be in the service provider doing a good job of the elements they are responsible for.

The challenge of securing multiple suppliers, data centres and clouds can sometimes seem insurmountably complex. However, modern approaches such as SaaS and IaaS provide a wealth of security data that you can leverage and ensure the basics are in place, while also demonstrating compliance to management, boards and auditors.

In general, large scale SaaS providers will give you the greatest transfer of security responsibilities and shield you from most risk, but you will still need to think about issues like user authentication and access, how citizen data is protected and consider how to recover that data in the case of loss or damage due to human error. After all, sometimes the biggest threat comes from inside.

Cyber security shouldn’t be the main business outcome from adopting SaaS, but at Arcus we can help you minimise your attack surface whilst transforming the way you work for the better. We transfer risk to those best positioned to manage it, rather than relying on hosted models that offer minimal benefits over on-premise models.

Keeping on top of all your technology assets and understanding their respective level of cyber risk is complex and time consuming and difficult to achieve without the scale of network and security operations centres. There’s nothing to be gained from going it alone.

Strata’s Insight platform is designed to quickly give you an up-to-date view of the security of your environment and automate much of the day-to-day work required to maintain your cyber defences, bringing best practice into reach for small and medium sized IT teams.

Considering the above, there are some vital questions local authorities should ask themselves when assessing their cyber capabilities.

  1. Have we done everything we can to minimise the attack surface available to cyber criminals?

  2. Have we maximised our use of genuine SaaS to leave experts in charge of specialist security work?

  3. For everything else, are we confident that we have the security basics in place such as antivirus, patching and device management?

  4. Can we proactively identify issues with our cyber posture (such as uncontrolled or non-compliant devices), and is MI available for management oversight?

  5. Are we confident that we could pass an audit, or will we not know until one is started?

Once these things are thought about and actioned, there’s no reason why a local authority should become particularly vulnerable to cyber attacks. The threat landscape has changed over the years, but adapting and employing the right solutions to tackle it is key. No council wants to compromise precious citizen data, and with the right foundations in place, no council will.


Corix Partners has been involved since 2015 in the promotion of stronger cyber security values across the public sector in the UK but the opinions expressed by guest bloggers are their views and do not necessarily reflect the opinions of Corix Partners.


This post is re-published with permission of Arcus Global and Strata Security and the original posting can be found here.