Building a cyber resilient service: guidance for directors of council services

Welcome to our guide on Building a Cyber Resilient Service.

This document aims to support you, as a director, to develop proactive, protective strategies and capabilities to enhance the cyber resilience of your council services. Some recommendations are technical, some organisational and some are about your people.

We discuss these protective strategies, how they work together, what would be considered good practice, and what would be considered unsafe practice, so that you can lead and create a positive culture surrounding cyber security in your service and organisation. 

The guide is intended to get you thinking about key cyber security considerations in the context of delivering services to adults in your community. It does not seek to produce a single, set blueprint to solve all cyber security issues. 

Due to the ever-changing threat landscape, you and your senior teams should regularly review your cyber security practices and policies, while also looking at your capacity and capabilities to deal with these when they arise.

This guidance is suitable for many council services. For steps 5 to 7, we also have guidance that is specific for the following service areas:

Planning

Legal

Environment

Adult social care

Public health

Procurement

Corporate

Finance

This document aims to support you, and your senior team with building the cyber defences of your service and enhancing cyber resilience to reduce the likelihood of a cyber attack and the impact to your service if, and when, an incident takes place. It will help you consider the risks to your service, the people and premises you want to protect and the harm you most want to avoid.

Good cyber security practices are essential for individuals and organisations. The responsibility for cyber security may sit at a corporate level, but each service has a part to play in protecting their assets and critical services. Your service will be underpinned by data and technology, which is evolving at speed. These changes create benefits and opportunities, but also risk when it comes to cyber security. 

Your service needs robust cyber security to safeguard adults, their data, service delivery, and infrastructure.

Understanding and prioritising cyber security is paramount. Cyber threats can range from data breaches to sophisticated ransomware attacks, making it crucial to establish a robust cyber security framework.

A lack of cyber security preparedness continues to pose a major risk for all councils. At least 11 million attacks on UK councils occurred in 2022, with over 10,000 attacks every day. [1] If, or when, a cyber attack hits your council, it could cause significant disruption. An attack on critical systems could damage the council’s reputation and finances and have a significant impact on its ability to deliver on its priorities and comply with service legal requirements.

What is your service doing to reduce cyber risk – to lessen the probability and severity of an attack? Is cyber security something you think about?

This guide offers a set of cyber security steps to consider:

• Step 1: Be clear on what cyber security means. 
• Step 2: Be clear on your cyber security role.
• Step 3: Be clear on the cyber risk to your service. 
• Step 4: Be clear in the likelihood of an attack and by whom. 
• Step 5: Be clear on why your service may be a target. 
• Step 6: Be clear on the impact of a cyber attack.
• Step 7: Be clear on ways to mitigate cyber risks. 
• Step 8: Be clear on ways to respond and recover. 

The National Cyber Security Centre (NCSC) is an organisation of the UK Government that provides advice and support for the public and private sector in how to avoid computer security threats. It defines cyber security as: [2]

How individuals and organisations reduce the risk of cyber attack. Cyber security’s core function is to protect the devices we all use (smartphones, laptops, tablets, and computers), and the services we access – both online and at work – from theft or damage. It’s also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.

Good cyber security practices are important for individuals and organisations. The responsibility for cyber security may sit at a corporate level, but ultimately it is the responsibility of each service to protect their assets and critical services. Your service will be underpinned by data and technology, and that technology is evolving at speed. These changes create benefits and opportunities – however, there is also an increased risk in terms of the potential for cyber attacks.  You will need to ensure robust cyber security to safeguard data, infrastructure, and service delivery. [3] 

As someone entrusted to protect data, cyber security should be considered equally as important as your other statutory duties. This means using your role to ensure that clear and effective arrangements are in place to protect your service from risk of harm – especially the harm caused by the loss or misuse of data stored on your computer networks.

When discussing cyber risks within an organisation, the conversation tends to focus on the role of the IT department. IT teams are there to support the whole workforce, and though they do have a role to play, you and your senior team should understand the vulnerabilities and threats to your service. A cyber attack can and will affect all areas of the council, and it is essential to prepare.

• Cyber risks are the intersection of assets, threats, and vulnerabilities.
• Cyber vulnerabilities are ‘security flaws in software programmes that have the potential to be exploited by attackers’[4].
• Cyber threats are ‘anything capable of compromising the security of, or causing harm to, information systems and internet connected devices (to include hardware, software, and associated infrastructure), the data on them and the services they provide, primarily by cyber means’[5].

Cyber security should be covered in the risk assessment for your service area and recorded as part of the corporate risk register. Cyber risk is a business risk consistent with those arising from physical threats – and processes should be in place to facilitate consistent reporting and escalation routes across the council. A fundamental aspect of your cyber risk assessment is to understand the likelihood and impact of an attack affecting your service. This assessment will help you respond through mitigations and minimisation techniques. For this to happen, you need identify what harms your service could withstand in the event of an attack, and what it could not afford to happen.

Going back to basics with this often helps conversations around these risks and that means looking at the confidentiality, integrity and availability of the data being held by your service. Cyber security governance is the top-down approach of managing security activities and ensuring that they’re all aligned to the service.

This means ensuring that you know your service functionality from an IT perspective, without necessarily becoming an IT specialist. The more software, systems and data used as part of your service; the more vulnerability points arise.

Vulnerabilities, opportunities or weaknesses in your information systems and internal controls, can lead to security breaches if exploited. It is essential you understand the software, systems and data used as part of your service – including shadow IT (shadow IT refers to the use of systems, devices, software, applications, or services within an organisation without explicit approval or knowledge) – and that you work with your IT service to gain assurances about security updates. Putting in place a good vulnerability management process can help you understand which ones are most serious and need addressing first.[6]

There may also be high turnover of staff in your increasingly busy service area. With a large number of joiners, movers, and leavers, this creates further vulnerabilities as responsibilities, management and accesses change often. It is important to have robust processes in place to manage this. In an analysis of over 40,000 cyber security incidents in the UK, insider threats were responsible for 20 per cent of all cyber attacks and were responsible for 15 per cent of all stolen information. [7]

Robert Mueller, Former Director of the FBI, is on record as saying:[8]

I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.

The UK government has identified ransomware attacks as the most significant cyber threat facing the country; and criminals are developing new techniques to circumvent cyber defences, including targeting the users of technology, as well as the technology itself.[9]

It is therefore sensible to assume you will be effected by a cyber incident at some point and should push back on the narrative that an attack is unlikely. Your plans should reflect this reality too.

[8] FBI RSA Cyber Security Conference

[9] 2022 cyber security incentives and regulation review - GOV.UK (www.gov.uk)

Consider the three categories of harm caused by a cyber attack: being robbed (theft of money, data, or intellectual property), being weakened (espionage, political interference, or prepositioning) and being hurt (ransomware and destructive or catastrophic attacks)[10]. 

• Which of these motivations is most relevant to your team? 
• What do you have that makes your service vulnerable? 
• Is data theft at the top of your list? 
• Would there be data of value? 
• Does your council control and safeguard digital data of interest to malicious actors? [11] 

We have specific guidance for these service areas:

Planning

Legal

Environment

Adult social care

Public health

Procurement

Corporate

Finance

In 2020, Hackney Council was the victim of an extremely disruptive ransomware attack which affected all systems and services. ‘Among the hundreds of services Hackney Council provides are social and Public Health care, waste collection, benefits payments to people in need of financial support, and public housing. Many of these services are run using in-house technical systems and services’[12] which meant these critical services were unable to operate. Two years after the initial incident, they were still in recovery mode, with some IT systems still in the process of remediation, whilst some data was completely lost. The attack cost the council approximately £12 million.

In March 2023, Capita, an organisation which runs crucial services for many local councils, the military, and the NHS, was the victim of a cyber attack, which caused a significant IT outage. Following the attack, Capita was also found to have been storing client data in unsecured cloud storage. At least six organisations were directly affected by the attack, which exposed potentially sensitive data and caused some services to come to a halt. The attack garnered significant media attention and exposed the supply chain risk experienced by all councils. Reputational damage and resident concern were a significant issue. The Director of Resources at Rochford District Council said in a statement: [13]

We take very seriously our commitment to safeguarding the privacy and security of our residents’ personal information. We know this will cause concern to residents and we want to apologise to those affected on behalf of Capita. We will be working with Capita to review the company’s processes and ensure the avoidance of any further breaches.

The month following the Capita incident, in April 2023, a Scottish council accidentally released 15,000 staff members’ personal data following an FOI request. [14] Corporate services teams must be aware that all information loss may not happen for malicious reasons. 

The request asked for the details of staff pay grades but when the local authority shared a spreadsheet containing the information employee data was not anonymised. The data breach reportedly revealed information such as workers’ names, National Insurance numbers, salaries, and workplace.

A spokesperson for South Lanarkshire Council said:

A spreadsheet containing anonymised employee data was uploaded to a website in response to a Freedom of Information request, and unfortunately as a result of human error, the spreadsheet contained a second page of personal data that had not been anonymised. The error was noticed by the council, and we arranged for that data to be removed. To the best of our knowledge the information was not accessed, and we believe the data could not be used in a way that would be harmful to those involved.

The pages below contain a few examples of the way in which a cyber attack could affect specific service areas and things you should consider when preventing or recovering from a cyber attack:
 

Planning

Legal

Environment

Adult social care

Public health

Procurement

Corporate

Finance

Cyber risks cannot be completely eradicated, but risks can be significantly minimised through planning for such an event, and also by developing a strong cyber security culture in your team. This includes putting in place strong data management systems to safely collect, share and store information across the council. For example, following best practice on managing the technical specifications and security or your databases.

Some considerations for mitigating the risks posed to information and data within specific service areas are detailed in the tables below.

The pages below contain specific considerations for in the following service areas:
 

Planning

Legal

Environment

Adult social care

Public health

Procurement

Corporate

Finance

How confident are you that your service could adequately respond to and recover from a cyber incident or unplanned disruption? You will likely already be feeding into a Business Continuity Plan (BCP) on a corporate level – and it is also important to maintain a BCP tailored for your service that provides clear actions on managing a cyber attack.

We would advise against publishing your service’s BCP online, as potential attackers can use this to tailor their methods and understand what your response to an attack would be.

The first step taken by your IT service in the event of a cyber attack is likely to be taking down all IT services and disabling access to any systems while the cause and impact is identified. The IT team would then focus on preventing further damage, recovering systems, restoring backups, managing access and so on. During this time, there would likely be no access to IT services.

Is there a clear plan setting out how your service would cope with no IT access for a significant period – sometimes stretching to weeks or even months? How would your team cope without access to the necessary systems?

These are crucial questions to ask – and should be part of a regular cycle of reviewing and testing. Encourage your team to regularly consider how the council could continue to provide essential services to the public if critical systems were unavailable, or all IT access was suspended?

If your service is the victim of a cyber attack, how would you communicate with colleagues, partners, residents, and wider stakeholders? 

How would you do this if a cyber attack prevented you from accessing your usual communication methods (emails, messaging and so on)? 

Do you have an offline communication plan to support you in updating internally and externally? This may include using WhatsApp groups, posts on social media or phone calls – which means you will need access to contact details that are updated regularly and stored securely offline. 

You may need to conduct a Data Protection Impact Assessment (DPIA) for alternative communications platforms before using them to store or share personal data. Reviewing your plan with your corporate communications team will ensure a consistent approach across the council and reduce the pressure on the IT service to provide updates while managing a cyber incident.

Areas to consider:

During a cyber attack, there may be an increased level of stress and responsibility on staff due to increased workload, concern for adults and their families, and pressure from the media. It is crucial to make sure there are systems in place to support staff through this time. 

Also, consider if your staff understand what they would need to do in the event of a cyber attack. Do you have in place offline communication methods? Focusing on these sorts of questions will help to promote a positive cyber security culture in your service area. Your local voluntary organisations are a much-welcomed resource in times of crisis; how would you contact them with no internet?

Your service faces constantly evolving cyber security threats.

It will be impossible to fully protect the services you provide from a cyber attack, however, the potential for harm is ever present, so you must be as vigilant as possible. Your IT team should have robust processes in place to prevent as many attacks as possible, but it’s important for every member of your team to take a proactive approach to cyber security.

As explained in this guide this means, as a Director of a council service, being clear on what cyber security means, your cyber security role, the cyber risk to your service, the likelihood of an attack and by whom, why your service may be a target, the impact of a cyber attack, ways to mitigate cyber risks and ways to respond and recover.