Resetting the relationship between local and national government. Read our Local Government White Paper

Building a cyber resilient service: guidance for directors of corporate services

Building a cyber resilient service: guidance for directors of corporate services
This document aims to support you to develop proactive, protective strategies and capabilities to enhance the cyber resilience of your council services. Some recommendations are technical, some organisational and some are about your people.

Introduction

This page details supplementary guidance specific to council planning services. Full guidance and steps can be found in our guidance document.

Shades of blue

Step 5: Be clear on why your service may be targeted

Consider the three categories of harm caused by a cyber attack: being robbed (theft of money, data, or intellectual property), being weakened (espionage, political interference, or prepositioning) and being hurt (ransomware and destructive or catastrophic attacks)[1]

  • Which of these motivations is most relevant to your team? 
  • What do you have that makes your service vulnerable? 
  • Is data theft at the top of your list? 
  • Would there be data of value? 
  • Does your council control and safeguard digital data of interest to malicious actors?[2] 

Corporate services, teams within your directorate, and the wider council are supported by a huge amount of data. This will include, for example, personal information of council employees, grants and funding information, council meeting minutes and resolutions, information on IT systems and infrastructure and data related to the delivery of public services by the council.

Corporate services, and teams within your directorate, are supported by a huge amount of data. This will include, for example, employee data, financial data, and Legal data (see Figure 1).  This amount and type of data makes your service vulnerable to cyber attacks and means the impacts to staff, residents and council services can be very damaging. Attackers may be looking to steal sensitive data for resale or to perpetrate further criminal acts, and you will be particularly vulnerable to extortion from criminals who recognise the criticality of this data and the need to keep services running.

Figure 1: Commonly held corporate services data

  • Employee Data – such as personal information of council employees, attendance and leave records, training, and development records.
  • Financial Data – such as budgets and financial statements, expenditure and revenue records, procurement and purchasing data.
  • Legal and Governance Data – including copies of legal documents, contracts, and agreements, compliance records, Freedom of Information requests and responses.
  • Facility and Asset Management Data – such as property and asset registers, maintenance and inspection records for council facilities, energy consumption and sustainability data.
  • ICT and Technology Data – including cyber security and data protection measures, IT support and incident records.
  • Public Services Data – such as data related to the delivery of public services by the council. Including public feedback and complaints, performance metrics and service delivery reports.
  • Health and Safety Data – copies of incident reports and safety records, occupational health and safety information, copies of the council’s emergency response plans.

Shades of blue

Step 6: Be clear on the impact of a cyber attack

In April 2023, a Scottish council accidentally released 15,000 staff members’ personal data following an FOI request.[1] Corporate services teams must be aware that all information loss may not happen for malicious reasons. 

The request asked for the details of staff pay grades but when the local authority shared a spreadsheet containing the information employee data was not anonymised. The data breach reportedly revealed information such as workers’ names, National Insurance numbers, salaries, and workplace.

A spokesperson for South Lanarkshire Council said:

A spreadsheet containing anonymised employee data was uploaded to a website in response to a Freedom of Information request, and unfortunately as a result of human error, the spreadsheet contained a second page of personal data that had not been anonymised. The error was noticed by the council, and we arranged for that data to be removed. To the best of our knowledge the information was not accessed, and we believe the data could not be used in a way that would be harmful to those involved.

Below are a few examples of the way in which a cyber attack could affect your service area and things you should consider when preventing or recovering from a cyber attack:

Figure 2: Example of service impact

Imagine, your service experiences a prolonged system outage in its IT infrastructure following a ransomware attack, affecting access to critical applications such as the employee self–service portal and document management system.

This outage leads to disruptions in various services, including delays in processing employee requests, handling procurement approvals, and accessing important documents. The service interruption results in frustration among employees and stakeholders who rely on these services for their daily tasks.

Things to consider:

  1. Which critical services operated by your team rely on internet access?
  2. Which of these critical services is prioritised to be brought back online first?
  3. Have you created offline records and plans for use during a cyber attack and ensured all authorised personnel have access to them?

 

Figure 3: Example of financial impact

Imagine, your service, adhering to a strict no–ransom policy, decides not to pay the attackers.

Despite this, your service now faces significant financial consequences in the aftermath of the attack. Costs are incurred for engaging cyber security experts to assess and contain the breach, invest in system restoration efforts, and implement enhanced security measures to prevent future incidents.

It has not been possible to pay suppliers or collect payments owed to the council during this time, creating cash flow issues for the council and its partners.

Things to consider:

  1. How prepared are you and your team for an incident like this?
  2. To what extent would you and your team have financial resilience and contingency plans in place to address the unexpected costs associated with a cyber attack?
  3. How would you communicate with suppliers and partners about this incident and delays to payments? What if email was unavailable during this time?

 

Figure 4: Example of data impact

Imagine, a data breach occurs in the Human Resources database, exposing sensitive employee information such as National Insurance numbers, bank account details, and performance reviews.

This breach not only jeopardises the privacy and trust of employees but also exposes the council to potential legal consequences.

Things to consider:

  1. How effective is your team’s existing data security and protection measures in preventing the cyber attack, and what improvements can be made to enhance the overall security posture?
  2. How well would your team execute its incident response plan, including communication strategies, in the immediate aftermath of the data breach?
  3. Does your team know the steps they would need to take to comply with data privacy regulations and notification procedures in the wake of the data breach, and what potential legal and reputational consequences may arise?

Shades of blue

Step 7: Be clear on ways to mitigate cyber risks

Table 1: Storing data

Theme Context  Areas to consider
Databases

As your service becomes more digital, systems will need to move online.

To limit vulnerabilities, staff need support to run their devices on the latest available software and to install regular security updates. 

How regularly is software updated?

Who is responsible for update rollout?

How would your service operate without access to databases?

How do you seek assurance that software is up to date?
Cyber security measures Implement cyber security measures on council hardware such as firewalls, antivirus software, and intrusion detection systems to protect against cyber attacks. 

Does all hardware support updated systems?

How often does staff training take place?

 
Devices and networks

Storing and accessing data on personal devices or through a public, unsecure network could create vulnerabilities.

Any data stored in an unsecured way can create vulnerabilities, including data downloaded onto a desktop.

Do staff using personal devices to access sensitive data?

Are all staff in your service aware of potential vulnerabilities exposed by the use of public networks?

How often to staff delete data from their desktop?
Backups

Your service should have suitable, secured backups of essential data that would allow for a quick and prompt recovery of essential services. 

This may include encrypted backups held in a secure off-site environment, removable media in physically secure storage, segregated backups, or appropriate alternative forms.

How often do backups take place?

Where are backups stored?
Are your team aware of how to access backups in case of an attack?

Who has access to backup data?

Which member of your team is responsible for this?

 

Table 2: Managing data

Theme Context  Areas to consider

Handling sensitive data

 

 Due to the nature of the work your service delivers, you will be handling sensitive data on a day-to-day basis, both electronically and physically. Your team must take extra precautions to protect the sensitive information outlined above.

Are you aware of all the sensitive data your service holds? 

How are physical notes and records stored or destroyed?

What systems are used to store electronic records and information?

Are you protecting against visual hacking in the workplace, such as using privacy filters, turning off unattended displays?

Access controls

 

To ensure this sensitive data is protected, you should implement access controls and restrict access to sensitive information only to authorised personnel. 

Training staff members on secure data handling is essential, and ensure they are aware of their responsibilities in protecting corporate data.

How is sensitive information stored in your service? 

How is it protected?

Who has access to data storage systems?

How often does your team review accesses?

How often does training take place?

How often are passwords changed?

Is multi–factor authentication in use across programmes?
Regular audits

Your service should be conducting regular audits of data management practices to ensure that you comply with relevant regulations and industry standards, e.g., ensuring data is only held for a relevant amount of time or is stored in the correct system. 

Keep track of any changes in data protection laws and update practices accordingly. 

How often do you audit your data management practices?

Who is responsible for organising this audit?

How do you seek assurance that effective audits have taken place?

 

Data protection regulations

 

 The UK operates within legal regulations for data management, mainly General Data Protection Regulation (GDPR). It is your obligation to ensure that your team complies with these data protection regulations to protect your services personal data and ensure that the personal data of corporate services is collected, processed, and stored lawfully, fairly, and securely.

Are your team aware of the UK GDPR regulations and how they affect your work?

How often does proper staff training take place?

 

Record keeping

 

 Accurate and up-to-date record keeping is essential in corporate services for many reasons; including regulatory compliance, emergency response planning, long-term planning and sustainability, research, and resource allocation. Records should be kept securely and in accordance with relevant legislation, and regular audits should be carried out to ensure the accuracy and completeness of the records.

How often do your team update records?

How are records stored and updated?

 

Risk management

 

Risk management processes, such as conducting regular risk assessments, implementing appropriate security measures, and developing contingency plans for data breaches, are essential to identify and mitigate potential risks to the security and privacy of corporate data. 

These risks should be added to the risk register and raised to the Senior Management Team.

How often do risk assessments take place in your service?

What contingency plans are in place for data breaches?

Are staff aware of data breach processes?

 

 

Table 3: Sharing data

Theme Context  Areas to consider

Collaboration and safeguarding

 

Different government agencies and departments at various levels (local, regional, national) may be involved in corporate services management. 

Collaborative data sharing allows these entities to work together seamlessly, avoid duplication of efforts, and create a more comprehensive understanding of corporate issues.

Collaborative efforts may involve the establishment of data standards and protocols to ensure consistency among different datasets. 

Standardised data formats enable smoother collaboration and data integration.

Who is responsible for data management and sharing in your service?

How often does training take place?

What procedures are in place to ensure effective and secure data sharing between teams and partners?

Do you feel confident that members of your team are safely sharing information?

 
Offline records

When assessing the risks to your service, you should also think about any partner organisations you work with, suppliers and any systems you have external links with. 

Managing offline records in corporate services is as crucial as managing digital records. Even in this era of digital technology, many councils maintain physical or offline records for various reasons, including legal requirements, historical documentation, and as a backup strategy.

Do you have processes in place for sharing offline information with partners?

What security measures are in place for sharing sensitive information?

 

Table 4: Awareness and training

Theme Context Areas to consider
Positive culture

A positive cyber security culture instils the importance of cyber security and the role every individual has in helping to protect the council. 

It will ensure that staff view cyber security as a business enabler rather than a hindrance and is understood by all councillors and staff. 

A positive culture contributes to the overall effectiveness, efficiency, and ethical conduct of your service.

Does your team speak openly and regularly about cyber security and risk?

Is it discussed at a board level?

How often does your service review the cyber security strategy?

How confident do your team feel with the strategy? 
Awareness

Experience shows that cyber risk to councils does not only come from external sources; employees can often present some of the most significant risks to cyber security. 

By clicking on links in phishing emails, storing sensitive data on personal devices, using unsecured networks, weak passwords or not installing security updates, employees can put your information under serious threat.

Do you understand the awareness levels of cyber security within your team?

How can you ensure cyber risk is pitched correctly for various roles in your service?
Training

Cyber security training should be refreshed regularly. 

As a director you’ll be aware of the high demands on the staff within your service, however this training must be prioritised to reduce the risk of a cyber attack.

 

How often does cyber security training take place in your service?

Is training appropriate for all staff at different technical levels?

 
Reporting In order to create a positive cyber security culture in your service, all staff must be aware of the process of reporting a potential breach and feel confident to do so at all levels.

Do all team members understand the process of reporting a data breach?

Is there a service-wide communication strategy in place to report data breaches? 

What impact would a data breach have on your team?
Workforce A large amount of agency staff may be being used by your service.  How can you integrate cyber secure practices into this temporary and externally managed workforce?

 

Table 5: Supply chain management

Theme Context Areas to consider
Co-ownership

Co-ownership involves establishing shared corporate goals and objectives throughout the supply chain. 

All stakeholders, from suppliers to service providers, align their efforts toward common sustainability targets.

Do members of your team work closely with other teams during the corporate services process?

What barriers are in place during this process?

What needs to change in order to streamline this process?
Contract management Your service should consider including specific cyber security requirements and clauses in their contracts with external providers to ensure that security measures are in place throughout the duration of the contract.

Does your service include cyber security requirements within contracts?

How is this measured?
Monitoring and reporting Regular monitoring and assessment of external providers’ security practices should be conducted to ensure that they are maintaining a strong security posture.

How would you work with partner organisations if your IT systems were unavailable? 

How would you work with partner organisations if they were experiencing a cyber attack themselves?

 

Table 6: Legislative Implications (not exhaustive)

Law/Regulation Cyber security Implications
Local Government Act 1972

Corporate services should be protecting information related to council structure, functions, and decision-making processes is crucial. 

This includes safeguarding electronic records, documents, and databases from unauthorised access, ensuring the integrity of data, and preventing cyber threats that may compromise the confidentiality of sensitive information.
Local Government Act 2000 Securing electronic communication channels, ensuring the confidentiality of discussions related to community leadership, and protecting modernised digital platforms and systems from cyber threats to maintain the integrity of decision-making processes.
Data Protection Act 2018 (incorporating UK GDPR)

Cyber security measures are critical to protect personal data from unauthorised access, disclosure, or alteration. 

Compliance involves implementing robust security measures, encryption, and access controls to prevent data breaches. Regular security assessments and data protection impact assessments are also essential to identify and address potential risks.
Freedom of Information Act 2000

Ensure the confidentiality of sensitive information and prevent unauthorised access. 

Secure storage, transmission, and retrieval of information, as well as user authentication mechanisms, are essential to maintain the integrity of data under the act.
Public Records Act 1958

Cyber security measures should focus on protecting digital records from tampering, ensuring data integrity, and implementing secure archival systems. 

Access controls and encryption play a significant role in safeguarding the authenticity of digital records.
Localism Act 2011

Cyber security measures should address the protection of decentralised decision-making processes. 

Local councils need to secure communication channels, ensure data integrity in locally managed systems, and implement controls to prevent unauthorised access to sensitive information at various administrative levels.
Highways Act 1980

Consideration should include protecting digital systems that manage information related to highways, transportation infrastructure, and road maintenance. 

Cyber security measures should ensure the integrity of data related to road conditions, maintenance schedules, and transportation planning.