The shared service of North Kesteven and West Lindsey District Councils, working with Cisco, provides some lessons on how to deal with the new dynamic for resilience, writes Emma Velle, cybersecurity specialist for NHS and local government at Cisco
The practicalities are crucial in a robust cyber security strategy, but it is important to avoid a ‘tick the box’ approach and ensure the outcomes are what matters in devising a policy.
This is becoming increasingly important with the massive change in working practices during the pandemic, with organisations having implemented a widespread shift to home working and found that it has placed new demands on their cyber security posture.
The stakes for the public sector are very high, as shown by the devastating effects of cyber attacks on local authorities. It highlights the need to get the focus right, not just in setting up defences but knowing what to do in the event of a disruption.
Cliff Dean, CIO shared services for North Kesteven and West Lindsey District Councils, provided a local government perspective at the recent UKAuthority Resilience and Cyber4Good conference, with lessons on how strengthen security amidst the shift to home and remote working. He emphasised that over the past 18 months the challenges have changed.
“Now we are very reliant on people’s understanding of the infrastructure they manage within their homes,” he said. “There is still an element of a lack of understanding and ownership. We’ve split the work so people are only connecting to the corporate centre if they absolutely need to, and everything else like browsing on the internet is protected and secure.”
Need for policy
He said that all the efforts have to be underpinned by a robust cyber policy that has been approved not just by senior officials, but the elected members of councils. This helps in promoting it across the organisation, giving more weight to the communications effort to ensure everyone is aware of their personal responsibilities.
Key elements of the policy at North Kesteven and West Lindsey include having the technical plans in place for testing and the response to an incident, involving registers of data and technology assets and contact details of the people with crucial roles to play – not just mobile numbers and email addresses but landline numbers and physical addresses.
“If you don’t have those ready then trying to pull it all together during an incident or testing would be hard,” Dean said. “It would be hard if it’s all in the network share and the network share is not there.”
The policy should define and share what the required patch management looks like, taking in servers, switches, firewalls, wireless application protocols and master data management solutions. This has to take into account that the implementation of a patch can cause some disruption to elements of the business by itself, which raises a temptation to delay the move, but which should be compared with the risks and implications for services in not doing it.
With this in mind, the policy should include playbooks to follow, which should also be tested and periodically reviewed, ensuring that everybody follows their role correctly and the process works as intended.
Mutual support
Dean also spoke of the importance of public sector bodies and the industry supporting each other to build and spread best practice. He highlighted the support available inside the sector from regional WARPS (warning, advice and reporting points), in which members can receive and share up-to-date advice on threats, incidents and solutions; and the Cyber Technical Advisory Group (C-TAG), which provides a national forum to engage with suppliers.
“We have a great membership in the WARP network, covering not just local government but health, police and fire services,” he said. “However, we do have a number of difficult-to-engage organisations, so it would be really good if responsible vendors could actively support that and push out the blended approach in the support they provide. That could be the nudge that gets those organisations actively engaged.
“It’s really important to us that Cisco are really well certified and follow through in providing a good understanding.”
He added that not all suppliers match the company’s performance, and that they need to raise their game while public authorities need to better manage their relationships with them.
While such steps can make a big difference better, Dean acknowledged general factors that need to be addressed. One is for the software industry to develop more products that can automate the identification and mitigation of attacks, taking some of the pressure off IT teams in their responses.
There is also a need to build larger cadre of cyber security professionals, with the technical qualifications and supplier training that extends their skills.
Positive outlook
Dean was positive about North Kesteven and West Lindsey’s cyber posture, saying their ICT roadmap incorporates solid security outcomes and has been approved by both councils to be fully funded for the next 10 years. This includes plans to rationalise the number of applications they run and to work with Cisco on the learning needed to achieve each of the outcomes.
He said there is also a big question in what groups of authorities can do in their procurement of cyber security solutions. They are all under continual pressure to find new cost savings and some could be found through more shared procurements.
It all made clear there is no single solution to provide the desired assurance, but that it requires a series of measures underpinned by policy and an awareness at levels of the organisation.
Cisco is well placed to support the effort, with a series of software solutions, network security products and next generation firewalls, along with an online security developer community and reports on specific issues.
More importantly, as Dean’s perspective testifies, it is ready to work with public sector bodies on building the knowledge around its offerings to create and implement a policy, keeping that emphasis on security outcomes and the ability to recognise and respond to emerging threats. It can be a partner in building effective cyber resilience.
Cisco provides a range of cyber security products and solutions that can all be integrated within its SecureX security platform. You can obtain full details from here.
Image from iStock, Traitov