Back to basics for cybersecurity in local government
David Carroll, CEO at XQ Cyber, says recent report reveals fundamental flaws in cyber awareness.
For anyone working in the cybersecurity industry, the recent report showing that UK local councils are unprepared to deal with cyber attacks shouldn't come as a surprise.
A combination of budgetary constraints and the inability to afford to retain cyber talent plays a part in explaining why such news is not a revelation, but they are not excuses. Indeed, GCHQ studies have shown that 80 – 90 per cent of economic loss due to cybercrime is down to the neglect of basic best practice, which includes the training of employees on awareness of the threats they and their organisations face.
What's more, while these council data breaches aren't necessarily about any significant financial gain for cybercriminals, they do highlight the important question of just how secure all levels of government are; the entire ecosystem, from central departments to local council.
Basic best practice
We know how hard it can be when dealing with a threat that's always growing and evolving, but councils have had plenty of warning when it comes to the cyber risks they face. However, it needn't be difficult to take effective steps to counter the threat, and security shouldn't have to cost the earth to implement.
We urgently need a shift in mindset when it comes to security. Organisations need to stop wondering if a cyber incident will happen to them, and acknowledge instead that it's actually a case of when it will happen. Robust training can address the most common weak point for many organisations, their employees' knowledge of cyber, but common sense is our biggest ally when it comes to cybersecurity. Doing the absolute basics – even if we do nothing else – will deliver tangible benefits.
Devices should always be locked, for example. Multifactor authentication should be the de facto, but it isn't implemented as widely as it could be by services and system owners. Therefore, users are left with no choice but to use single factor passwords. In the absence of a more secure way to access a system, you must make the one and only key to that kingdom, however inherently flawed it is, as difficult to crack as possible.
Passwords should be made as secure as possible by increasing their length, often by inserting random words in a sentence and, of course, different passwords should be used for different devices, applications and websites. Machines should be kept updated with the latest patches and anti-virus, and the importance should be stressed of never clicking on an unusual looking link.
However, even after years of security experts highlighting the advantages of such training, we continue to see incidents in which businesses are breached as a result of basic security practices not being followed.
Every council trains its employees in health and safety procedures, but very few provide training in basic cybersecurity. According to the report from Big Brother Watch, while three-quarters of councils do offer training, it's not mandatory.
Cyber awareness training for council employees is hugely important, and the fact that 16 per cent of councils provide no cybersecurity training whatsoever is inexcusable in this age of cyber dangers. With phishing being identified as the most common source of all council-targeted cyber attacks, some basic training on how to spot a suspect email could drastically reduce the danger of compromise. Government schemes like Cyber Essentials provide excellent advice, but perhaps it's time it became mandatory for all councils.
Prevent and prepare
In 2009, Manchester City Council suffered a breach after it was infected by malware, which required several millions of pounds being spent to remediate. It later transpired that a patch for the Confiker malware had been released some nine months prior to the breach, meaning the incident could have been avoided had the software been kept up to date with the latest patches.
Councils should test themselves to see if they really understand the challenges they face. To do this, they need to know what their data assets are, where they reside, who has access to them, who might want to steal them, how they might go about doing so, what the impact of a breach would be, and what they're doing to prevent a breach from occurring.
They should also assume that a breach is going to happen and identify the types of incident that should be considered to be a data breach, as well as who is in charge of each type, the staff or teams to support them, the specific assets at risk, the resources required by their staff, and any external specialist skills likely to be required. Rehearsal plans should be formulated, and it needs to be agreed who needs to know when, and, critically, how to communicate the breach to law enforcement agencies, customers, suppliers, shareholders and regulators.
In short, there is plenty that can be done to prevent and prepare.
Trust also needs to be established between councils and their supply chains. High profile attacks rarely come directly to the target via an innocuous suppler. A collaborative effort is required between all companies with mutual business relationships to combat nefarious actors with their eyes on the prize and the wider supply chain.
The challenge involved in changing people's attitudes towards cybersecurity is a big one. It hasn't helped that, for many years, some areas of the cybersecurity industry have made it out to be a dark art full of mysticism. Perceiving cybersecurity as a scary and dark art, most people will try to avoid it as they don't believe that they can do anything to change the situation.
In reality, we need to remember that hacking has become easier than ever thanks to the release of mass-produced exploitation kits that are readily available to anyone with a Tor browser, access to the Dark Web and some bitcoins. But as with most criminals, hackers prefer easy targets. The chances are high that if you have some basic security software installed and have kept your machine up to date with the latest patches, a hacker will pass you by as they seek out easier prey. The same rules apply online as well as offline.
As the guardians of our services, defences and the prosperity of our nation, governments need to be taking basic security far more seriously. It's not hard, or necessarily expensive; it just needs doing. Make yourself an easy target, and you will become a victim.