Building a cyber resilient service: guidance for directors of environment services

As your service becomes more digital, systems will need to move online.

To limit vulnerabilities, staff need support to run their devices on the latest available software and to install regular security updates. 

How regularly is software updated?

Who is responsible for update rollout?

How would your service operate without access to databases?

How do you seek assurance that software is up to date?

Does all hardware support updated systems?

How often does staff training take place?

Storing and accessing data on personal devices or through a public, unsecure network could create vulnerabilities.

Any data stored in an unsecured way can create vulnerabilities, including data downloaded onto a desktop.

Do staff using personal devices to access sensitive data?

Are all staff in your service aware of potential vulnerabilities exposed by the use of public networks?

How often to staff delete data from their desktop?

Your service should have suitable, secured backups of essential data that would allow for a quick and prompt recovery of essential services. 

This may include encrypted backups held in a secure off-site environment, removable media in physically secure storage, segregated backups, or appropriate alternative forms.

How often do backups take place?

Where are backups stored?
Are your team aware of how to access backups in case of an attack?

Who has access to backup data?

Which member of your team is responsible for this?

Handling sensitive data

You may be less likely than other directorates to be handling sensitive data on a day-to-day basis, however, that doesn’t mean that it won’t happen!

Your team must take extra precautions to protect the sensitive information.

Are you aware of all the sensitive data your service holds? 

How are physical notes and recorded stored or destroyed?

What systems are used to store electronic records and information?

Access controls

To ensure sensitive data is protected, you should implement access controls and restrict access to sensitive information only to authorised personnel. 

Training staff members on secure data handling is essential, and ensure they are aware of their responsibilities in protecting environmental services data.

How is sensitive information stored in your service? 

How is it protected?

Who has access to data storage systems?

How often does your team review accesses?

How often does training take place?

Is multi-factor authentication in use across programmes?

Your service should be conducting regular audits of data management practices to ensure that they comply with relevant regulations and industry standards, e.g., ensuring data is only held for a relevant amount of time or is stored in the correct system. 

Keep track of any changes in data protection laws and update practices accordingly. 

How often do you audit your data management practices?

Who is responsible for organising this audit?

How do you seek assurance that effective audits have taken place?

Data protection regulations

The UK is subject to the General Data Protection Regulation (GDPR) and the Data Protection Act (2018).

It is your obligation to ensure that your team complies with these data protection regulations to protect your services personal data and ensure that the personal data of environmental services is collected, processed, and stored lawfully, fairly, and securely.

Is your team aware of the UK GDPR regulations and how they affect your work?

How often does staff training take place?

Record keeping

Accurate and up-to-date record keeping is essential in environmental services for many reasons; including regulatory compliance, emergency response planning, long-term planning and sustainability, research, and resource allocation.

Reliable record-keeping enhances the credibility of environmental services.

How often do your team update records?

How are records stored and updated?

Risk management

Risk management processes, such as conducting regular risk assessments, implementing appropriate security measures, and developing contingency plans for data breaches, are essential to identify and mitigate potential risks to the security and privacy of environmental services data. 

These risks should be added to the environmental risk register and raised to SMT.

How often do risk assessments take place in your service?

What contingency plans are in place for data breaches?

Are staff aware of data breach processes?

Collaboration 

Different government agencies and departments at various levels (local, regional, national) may be involved in environmental services management. 

Collaborative data sharing allows these entities to work together seamlessly, avoid duplication of efforts, and create a more comprehensive understanding of environmental issues.

Collaborative efforts may involve the establishment of data standards and protocols to ensure consistency among different datasets. Standardised data formats enable smoother collaboration and data integration.

Who is responsible for data management and sharing in your service?

How often does training take place?

What procedures are in place to ensure effective and secure data sharing between teams and partners?

Do you feel confident that members of your team are safely sharing information?

When assessing the risks to your service, you should also think about any partner organisations you work with, suppliers and any systems you have external links with. 

Managing offline records in environmental services is as crucial as managing digital records. Even in this era of digital technology, many councils maintain physical or offline records for various reasons, including legal requirements, historical documentation, and as a backup strategy.

Do you have processes in place for sharing offline information with partners?

What security measures are in place for sharing sensitive information?

A positive cyber security culture instils the importance of cyber security and the role every individual has in helping to protect the council. 

It will ensure that staff view cyber security as a business enabler rather than a hindrance and is understood by all councillors and staff. 

A positive culture contributes to the overall effectiveness, efficiency, and ethical conduct of your service.

Does your team speak openly and regularly about cyber security and risk?

Is it discussed at a board level?

How often does your service review the cyber security strategy?

How confident do your team feel with the strategy? 

Experience shows that cyber risk to councils does not only come from external sources; employees can often present some of the most significant risks to cyber security. 

By clicking on links in phishing emails, storing sensitive data on personal devices, using unsecured networks, weak passwords or not installing security updates, employees can put your information under serious threat.

Do you understand the awareness levels of cyber security within your team?

How can you ensure cyber risk is pitched correctly for various roles in your service?

Cyber security training should be refreshed regularly. 

As a director you’ll be aware of the high demands on the staff within your service, however this training must be prioritised to reduce the risk of a cyber attack.

How often does cyber security training take place in your service?

Is training appropriate for all staff at different technical levels?

Do all team members understand the process of reporting a data breach?

Is there a service-wide communication strategy in place to report data breaches? 

What impact would a data breach have on your team?

Co-ownership involves establishing shared environmental goals and objectives throughout the supply chain. 

All stakeholders, from suppliers to service providers, align their efforts toward common sustainability targets.

Do members of your team work closely with other teams during the Environmental Services process?

What barriers are in place during this process?

What needs to change in order to streamline this process?

Does your service include cyber security requirements within contracts?

How is this measured?

How would you work with partner organisations if your IT systems were unavailable? 

How would you work with partner organisations if they were experiencing a cyber attack themselves?

This involves extensive data collection and management. Robust cyber security ensures the integrity and reliability of this data, preventing unauthorised alterations that could impact decision-making and policy formulation.

The Act also requires the development and management of environmental plans, which means that the confidentiality of these plans is essential to prevent compromise strategic initiatives or regulatory compliance efforts.

This Act involves digital reporting mechanisms; therefore, robust cyber security is crucial to ensure the security of online platforms, preventing unauthorised access to environmental compliance reports and maintaining the credibility of reporting processes.

The Act is further involved in enforcement activities, which means you must protect the integrity of enforcement data, preventing tampering or unauthorised access that could undermine regulatory actions and legal proceedings.

Ensuring the security of this data is crucial for preventing unauthorised access or manipulation, which could impact waste reduction initiatives and resource efficiency programmes.

WRAP regulations mean collaboration among stakeholders. Cyber security ensures secure communication and data exchange, preventing potential breaches that could compromise collaborative efforts.

Cyber security is essential to protect against cyber threats that could disrupt operations, compromise safety measures, and result in environmental disasters.

Cyber security measures prevent unauthorised access to critical systems involved in oil storage. Unauthorised access could lead to spills or leaks by activists looking to further their cause and damage reputation of your service.

Water, as part of Critical National Infrastructure (CNI), means the cyber security implications are vast. It is essential to prevent unauthorised access or manipulation, ensuring the accuracy of water quality assessments crucial for environmental conservation and public health.

Cyber security measures also protect against risks of cyber attacks that could compromise water quality. Such an attack could potentially lead to contamination, posing risks to ecosystems and the local population. 

Cyber security protects data related to the disposal and handling of hazardous waste. Unauthorised access or manipulation of this data would lead to environmental risks and regulatory non-compliance.

Another aspect is the secure communication and collaboration among stakeholders involved in hazardous waste management.