Resetting the relationship between local and national government. Read our Local Government White Paper

Building a cyber resilient service: guidance for chief planners

Building a cyber resilient service guidance for chief planners
This document aims to support you to develop proactive, protective strategies and capabilities to enhance the cyber resilience of your council services. Some recommendations are technical, some organisational and some are about your people.

Introduction

This page details supplementary guidance specific to council planning services. Full guidance and steps can be found in our guidance document.

Shades of blue

Step 5: Be clear on why your service may be targeted

Planning services, and teams within your directorate, are supported by a huge amount of data. This amount and type of data makes your service vulnerable to cyber attacks and means the impacts to staff, residents and council services can be very damaging. Attackers may be looking to steal sensitive data for resale or to perpetrate further criminal acts, and you will be particularly vulnerable to extortion from criminals who recognise the criticality of this data and the need to keep services running.

Figure 1: Commonly held planning services data 

  • Applicant Information – Personal details of individuals or organizations submitting planning applications, including names, addresses, contact information, and, in the case of businesses, details about the company.
  • Agent Information – Details about agents or representatives acting on behalf of applicants, including their names, addresses, and contact information.
  • Ownership and Title Information – Information about the ownership and legal title of the property or land subject to the planning application.
  • Planning Application Documents – Various documents related to planning applications, which may include architectural plans, environmental impact assessments, design and access statements, and other supporting materials.
  • Consultation Responses – Comments and responses received during the public consultation process, which may include personal opinions and concerns from members of the public or organizations.
  • Decision Notices – Information related to planning decisions, including the reasons for approval or rejection of applications.
  • Financial Information (e.g., Community Infrastructure Levy) – Details related to financial contributions, such as Community Infrastructure Levy (CIL) payments, associated with the planning application.
  • Building Control – Details of building control applications and decision notices
  • Environmental Data – Information related to environmental impact assessments, ecological surveys, and other data assessing the potential environmental effects of a development.
  • Legal Agreements – Details of legal agreements, such as Section 106 agreements, which may involve obligations or contributions from the developer to address specific issues related to the development.
  • Publicly Available Information – Information sourced from publicly available records, such as the Land Registry, to verify property ownership and title details.
  • Archaeological Data – Information related to archaeological assessments and surveys, especially for developments in areas with historical significance.
  • Survey and Feedback Data – Data collected through surveys, questionnaires, or public consultations to gather feedback and opinions on proposed developments.

Shades of blue

Step 6: Be clear on the impact of a cyber attack

In December 2021, Gloucester City Council was victim to a sophisticated cyber attack. The initial attack was in the form of a single spear phishing email that was inserted into an existing email chain with a supplier. Once the malicious link was clicked, malware was deployed to the computer that was then used to create a route into their network for the attackers. Over about a month they navigated the council’s network before stealing data and encrypting our servers with ransomware.[1]

Gloucester City Council’s planning department was forced to undertake manual workarounds to ensure that old planning applications could still be accessed, after its IT systems were breached as part of a cyber attack by hackers thought to be based in Russia. The local authority said that while new applications could be received and commented on, it was “working hard on manual workarounds” for applications already submitted. Residents in the process of buying property within the city were affected as the council was unable to provide the land search service. This impacted on people moving within the borough as this information is used by mortgage providers to check for anything unusual in the property’s history.

Gloucester was asked if any planning applications had been lost or delayed, and whether any of these belonged to housing associations, but the council said it could not provide any more information other than what it had released in an earlier statement. It added that this was because it was “working closely with the National Cyber Security Centre and the National Crime Agency to understand more about the nature of this incident.”  The planning page on the council’s website carried the message: “Our planning application website is currently unavailable, and it is not possible to view planning application details or to submit comments through the online portal.”

In a budget agenda in 2023, council leaders set aside a cyber recovery reserve of £380,000 to help restore its IT system after the attack. David Norman, cabinet member for performance and resources, provided an update for the council. He said: “New planning applications can be received; residents can comment on these applications and the planning team are working hard on manual workarounds for applications already submitted.” The council could not say how long these “workarounds” would be in place.

Figure 2: Example of a service level impact

A cyber attack may lead to the disruption of digital systems used for processing planning applications. If critical systems are compromised or unavailable, planning officers may be unable to access and review application documents, resulting in significant delays in the processing of planning applications.

During a cyber attack you may have no access to the internet or your networks within which documents are stored. You need to consider how the loss of internet access might affect your critical services, and how you could keep them running – you may need alternative manual processes in place to keep a skeleton service operational.

Working with IT support prior to an incident to prioritise the systems to be recovered will assist them with their workload and allocation of resources. Similarly, identify where processes are dependent on other internal and external systems being available. Simply restoring one system in isolation will not be sufficient to allow a service to start operating after an attack.

Always work in partnership with your IT team if you are making any changes to your service. This could include new information sharing agreements, procuring new systems, or changes to processes. Cyber security and IT implications should be factored into all these decisions. 

Things to consider:

  1. Which critical services operated by your team rely on internet access?
  2. Which of these critical services is prioritised to get back online first?
  3. Have you created offline records and plans for use during an attack and ensure all teams have access to them?

Figure 3: Example of financial service level impact 

The financial impact of a cyber attack on the planning department of a local council in the UK can be significant and multifaceted. 

An example of this would be the impact of system restoration, whereby restoring affected systems, applications, and databases to their normal functioning state, which may involve reinstalling software, applying patches, and ensuring that systems are free from malware. This exercise invariably costs councils in the UK upwards of six figures.

Things to consider:

  1. Is there a developed and regularly updated incident response plan that outlines the steps to be taken in the event of a cyber security incident?
  2. Are staff are trained on their roles and responsibilities during a security incident?
  3. Does your current cyber security insurance afford cover to mitigate financial risks associated with potential cyber incidents? 

Figure 4: Example of a service level data impact 

Planning officers would be unable to access crucial planning application data, leading to a halt in the processing of applications. The service would then suffer disruptions in decision-making, public consultations, and communication with stakeholders. 

As news of the data breach becomes public, there is a loss of trust among applicants, agents, and the general public. 

Concerns about the security of personal and sensitive planning data may lead to a decline in public confidence. 

Areas to consider:

  1. Are offline records available for use during a cyber attack?
  2. If you were unable to share data due to a cyber attack at your service, how can you communicate with other agencies such as the NCSC?
  3. Discussing these risks with your IT service and other agencies you would need to contact will ensure there is a robust back up system in place.

Shades of blue

Step 7: Be clear on ways to mitigate cyber risks

Table 1: Storing data

Theme Context  Areas to consider
Databases

As your service becomes more digital, systems will need to move online.

To limit vulnerabilities, staff need support to run their devices on the latest available software and to install regular security updates. 

How regularly is software updated?

Who is responsible for update rollout?

How would your service operate without access to databases?

How do you seek assurance that software is up to date?
Cyber security measures Implement cyber security measures on council hardware such as firewalls, antivirus software, and intrusion detection systems to protect against cyber attacks. 

Does all hardware support updated systems?

How often does staff training take place?

 
Devices and networks

Storing and accessing data on personal devices or through a public, unsecure network could create vulnerabilities.

Any data stored in an unsecured way can create vulnerabilities, including data downloaded onto a desktop.

Do staff using personal devices to access sensitive data?

Are all staff in your service aware of potential vulnerabilities exposed by the use of public networks?

How often to staff delete data from their desktop?
Backups

Your service should have suitable, secured backups of essential data that would allow for a quick and prompt recovery of essential services. 

This may include encrypted backups held in a secure off-site environment, removable media in physically secure storage, segregated backups, or appropriate alternative forms.

How often do backups take place?

Where are backups stored?
Are your team aware of how to access backups in case of an attack?

Who has access to backup data?

Which member of your team is responsible for this?

 

Table 2: Managing data

Theme Context  Areas to consider
Handling sensitive data You may be less likely than other directorates than other to be handling sensitive data on a day-to-day basis, however that doesn’t mean that it won’t happen! Your team must take extra precautions to protect the sensitive information.

Are you aware of all the sensitive data your service holds? 

How are physical notes and recorded stored or destroyed?

What systems are used to store electronic records and information?
Access controls

To ensure any sensitive data is protected, you should implement access controls and restrict access to sensitive information only to authorised personnel. 

Training staff members on secure data handling is essential, and ensure they are aware of their responsibilities in protecting data.

 

How is sensitive information stored in your service? 

How is it protected?

Who has access to data storage systems?

How often does your team review accesses?

How often does training take place?

How often are passwords changed?

Is multi-factor authentication in use across programmes?
Regular audits

Your service should be conducting regular audits of data management practices to ensure that they comply with relevant regulations and industry standards e.g. the retention of records are complaint within GDPR timeframes.

Keep track of any changes in data protection laws and update practices accordingly. 

How often do you audit your data management practices?

Who is responsible for organising this audit?

How do you seek assurance that effective audits have taken place?

Data protection laws

 

In the UK, we still have the General Data Protection Regulation (GDPR) and the Data Protection Act (2018).

It is your obligation to ensure that your team complies with these data protection regulations to protect your services personal data and ensure that the personal data of environmental services is collected, processed, and stored lawfully, fairly, and securely.

Are your team aware of the UK GDPR regulations and how they affect your work?

How often does full staff training take place and not just awareness?

Record keeping

 

Accurate and up-to-date record keeping is essential in planning services for many reasons; including regulatory compliance, emergency response planning, long-term planning and sustainability, research, and resource allocation.

Reliable record-keeping enhances the credibility of planning services.

How often do your team update records?

How are records stored and updated?

 

Risk management

 

Risk management processes, such as conducting regular risk assessments, implementing appropriate security measures, and developing contingency plans for data breaches, are essential to identify and mitigate potential risks to the security and privacy of data. 

These risks should be added to the departmental risk register and raised to your SMT.

How often do risk assessments take place in your service?

What contingency plans are in place for data breaches?

Are staff aware of data breach processes?

 

 

Table 3: Sharing data

Theme Context  Areas to consider

Collaboration 

 

Different government agencies and departments at various levels (local, regional, national) may be involved in planning management. 

Collaborative data sharing allows these entities to work together seamlessly, avoid duplication of efforts, and create a more comprehensive understanding of environmental issues.

Collaborative efforts may involve the establishment of data standards and protocols to ensure consistency among different datasets. Standardised data formats enable smoother collaboration and data integration.

Who is responsible for data management and sharing in your service?

How often does training take place?

What procedures are in place to ensure effective and secure data sharing between teams and partners?

Do you feel confident that members of your team are safely sharing information?

 
Offline records

When assessing the risks to your service, you should also think about any partner organisations you work with, suppliers and any systems you have external links with. 

Managing offline records in planning is as crucial as managing digital records. Even in this era of digital technology, many councils maintain physical or offline records for various reasons, including legal requirements, historical documentation, and as a backup strategy.

Do you have processes in place for sharing offline information with partners?

What security measures are in place for sharing sensitive information?

 

Table 4: Awareness and training

Theme Context Areas to consider
Positive culture

A positive cyber security culture instils the importance of cyber security and the role every individual has in helping to protect the council. 

It will ensure that staff view cyber security as a business enabler rather than a hindrance and is understood by all councillors and staff. 

A positive culture contributes to the overall effectiveness, efficiency, and ethical conduct of your service.

Does your team speak openly and regularly about cyber security and risk?

Is it discussed at a board level?

How often does your service review the cyber security strategy?

How confident do your team feel with the strategy? 
Awareness

Experience shows that cyber risk to councils does not only come from external sources; employees can often present some of the most significant risks to cyber security. 

By clicking on links in phishing emails, storing sensitive data on personal devices, using unsecured networks, weak passwords or not installing security updates, employees can put your information under serious threat.

Do you understand the awareness levels of cyber security within your team?

How can you ensure cyber risk is pitched correctly for various roles in your service?
Training

Cyber security training should be refreshed regularly. 

As a director you’ll be aware of the high demands on the staff within your service, however this training must be prioritised to reduce the risk of a cyber attack.

 

How often does cyber security training take place in your service?

Is training appropriate for all staff at different technical levels?

 
Reporting In order to create a positive cyber security culture in your service, all staff must be aware of the process of reporting a potential breach and feel confident to do so at all levels.

Do all team members understand the process of reporting a data breach?

Is there a service-wide communication strategy in place to report data breaches? 

What impact would a data breach have on your team?
Workforce A large amount of agency staff may be being used by your service.  How can you integrate cyber secure practices into this temporary and externally managed workforce?

 

Table 5: Supply chain management

Theme Context Areas to consider
Co-ownership

Co-ownership typically refers to the shared rights and responsibilities among multiple stakeholders involved in the planning process. 

These stakeholders can include local government authorities, developers, community groups, local citizens, and other relevant entities.

Do members of your team work closely with other teams during the planning process?

What barriers are in place during this process?

What needs to change in order to streamline this process?
Contract management Your service should consider including specific cyber security requirements and clauses in their contracts with external providers to ensure that security measures are in place throughout the duration of the contract.

Does your service include cyber security requirements within contracts?

How is this measured?
Monitoring and reporting Regular monitoring and assessment of external providers' security practices should be conducted to ensure that they are maintaining a strong security posture.

How would you work with partner organisations if your IT systems were unavailable? 

How would you work with partner organisations if they were experiencing a cyber attack themselves?

 

Table 6: Legislative Implications

Law/ Regulation Cyber security Implications
Town and Country Planning Act 1990 The act itself may not have direct cyber security implications, but the digital systems used to manage planning applications and associated data need robust cyber security measures.
Planning and Compulsory Purchase Act 2004 Cyber security is crucial in the electronic storage and processing of data related to compulsory purchases and planning decisions to prevent unauthorised access or data breaches.
Localism Act 2011 Localism involves community engagement, and digital platforms or databases used to facilitate public participation should be secured to protect sensitive information and maintain trust.
National Planning Policy Framework (NPPF) The NPPF guides local planning authorities, and any online systems supporting its implementation need strong cyber security measures to safeguard sensitive planning data.
Housing and Planning Act 2016

The act may involve digital systems for tracking housing development and planning enforcement. 

Securing these systems is essential to prevent data tampering or unauthorised access.
General Permitted Development Order (GPDO) Systems managing applications and approvals related to permitted development need cyber security measures to ensure the integrity and confidentiality of the data.
Environmental Impact Assessment (EIA) Regulations Digital platforms used for submitting and processing environmental impact assessments must implement cyber security measures to protect sensitive environmental data.
Community Infrastructure Levy (CIL) Regulations Cyber security is vital in the management of financial transactions and data related to community infrastructure levies to prevent fraud and unauthorised access.