Local authorities could be at risk due to not having a complete perspective on cyber security, according to research newly published by the Ministry of Housing, Communities and Local Government (MHCLG).
Its Local Digital Collaboration Unit (LDCU) has produced the findings of the pre-discovery project that it launched in March, following a round of stakeholder interviews and analysis of 163 councils’ responses to a survey on ransomware.
While the report focuses on how councils view cyber security rather than details of their defences, it highlights findings that convey a fractured perception of the issue among local authorities.
One of its findings is that there is no consistent understanding of what cyber security means for a council, making consistent prevention more difficult. There is even inconsistency as to what constitutes a breach, and a widespread perception that cyber security and risk relates solely to penetration testing and defending against hackers and virus threats.
“We believe this is an incomplete perspective, as cyber risk extends to the systems, the data kept in systems, the hardware used to access systems, and the services provided,” the report says.
Local authorities also have differing opinions of what good security looks like, and awareness of the risk often varies within individual councils. The latter can take the form of non-IT staff being unaware of their responsibilities around the issue.
Similarly, cyber is seen as an IT, not a business risk, and subsequently does not always get the attention or funding it needs: different councils give it different levels of priority.
WARPs factor
The report does convey that there is a growing knowledge of incidents affecting other councils, and an appreciation of the usefulness of information sharing networks. But it also says the main channel for sharing knowledge – regional warning access and reporting points (WARPs) – often need to be strengthened, and some councils have set up their own networks.
In addition, analysis of cyber risks is inconsistent when procuring IT and non-IT services, and joint procurement of cyber security contracts among local authorities is inconsistent.
There are also misperceptions around standards and guidance – notably that the Public Services Network is often seen as an accreditation of being cyber secure – and councils are often unsure of what is guidance and what is a mandatory standard. With this in mind, they would like more direction from the MHCLG.
A brighter spot is a good take-up of National Cyber Security Centre services, but users are often confused by the array of services and groups available to offer support.
Hypotheses
It all amounts to a worrying picture for which the LDCU does not aim to provide any firm recommendations, but it does put forward a number of hypotheses that could lead to improvements.
These include better building and maintenance of services, configuring their technology appropriately, providing clearer standards, expectations and goals for councils, and improving the quality of and networks for sharing information.
The LDCU said: “This pre-discovery was vital in order to rapidly understand the landscape and gather evident from councils and stakeholders.
“As we move into the next phase we will validate our findings and focus on the elements that will have the greatest impact on cyber health and resilience.”
It has now prioritised three themes for further work. One will be focused on encouraging ‘security by design’ in local government, looking at the cyber risk across its services to help make them secure end-to-end.
The second will be around standards and technical guidance, aiming to identify any gaps and those that councils are struggling to follow. The third will deal with ownership, responsibility and accountability, and what behavioural changes could affect an organisation’s cyber health.
Image from GOV.UK, Open Government Licence v3.0