Resetting the relationship between local and national government. Read our Local Government White Paper

Building a cyber resilient service: guidance for directors of finance

Building a cyber resilient service: guidance for directors of finance
This document aims to support you to develop proactive, protective strategies and capabilities to enhance the cyber resilience of your council services. Some recommendations are technical, some organisational and some are about your people.

Introduction

This page details supplementary guidance specific to council planning services. Full guidance and steps can be found in our guidance document.

Shades of blue

Step 5: Be clear on why your service may be targeted

Consider the three categories of harm caused by a cyber attack: being robbed (theft of money, data, or intellectual property), being weakened (espionage, political interference, or prepositioning) and being hurt (ransomware and destructive or catastrophic attacks).  Councils hold large volumes of data that may be an attractive target for an attacker, including;

  • Financial data – opportunities for fraud and theft
  • Supplier data – opportunities to commit fraud by setting up bogus supplier accounts
  • Personal data – including sensitive personal data, providing opportunities for ransomware by threatening to publish the data
  • Politically sensitive data, e.g. relating to high-profile planning applications – could be damaging if leaked
  • Critical services – opportunities for ransomware as attackers know that essential services depend on the systems being available.
  • Which of these motivations is most relevant to the finance team? 
  • What do you have that makes your service vulnerable? 
  • How well does the council control and safeguard digital data of interest to malicious actors, that could be making them a target?[1]

Finance services, and teams within your directorate, are supported by a huge amount of data. Your access to financial accounts (including income, payments and IT systems), and the ability to make payments makes your service particularly attractive to attackers who are seeking to make a financial gain.

This amount and type of data makes your service vulnerable to cyber attacks and means the impacts to staff, residents and council services can be very damaging. Attackers may be looking to steal sensitive data for resale or to perpetrate further criminal acts, and you will be particularly vulnerable to extortion from criminals who recognise the criticality of this data and the need to keep services running.

Most finance departments have robust processes in place to manage financial fraud, but cyber attack presents its own specific challenges, such as phishing attacks, ransomware, online scams, hacking into online accounts, stealing personal information from social media, and distributing malware.

The following table sets out some of the main types of data held by most finance departments, which may present an attractive target to an attacker.

Figure 1: Commonly held finance data

  • Budgetary Information - Details of the council's budget, including allocations for different departments and projects.
  • Expenditure Records - Records of spending, payments, and financial transactions made by the council.
  • Payroll Information - Details of salaries, wages, and other compensation paid to council employees.
  • Supplier and Vendor Details - Information about suppliers and vendors, including contracts, invoices, and payment records.
  • Taxation Records - Records related to local taxes, business rates, and other taxation matters within the council's jurisdiction.
  • Grant and Funding Information - Information about grants received, funding sources, and allocations for specific projects or initiatives.
  • Financial Statements and Reports - Comprehensive financial statements and reports that provide an overview of the council's financial health.
  • Banking and Financial Account Information - Details of council bank accounts, investments, and other financial accounts.
  • Asset and Property Financials - Information related to council-owned assets, properties, and associated financial transactions.
  • Pension Fund Data - Information about the council's pension fund, including contributions, investments, and pensioner details.
  • Financial Planning and Forecasting Data - Data used for financial planning, forecasting, and strategic decision-making.
  • Grants and Subsidies Information - Records of grants awarded, subsidies provided, and associated financial details.
  • Debt and Loan Information - Details of any debts incurred by the council, including loans, bonds, and repayment schedules.
  • Insurance Details - Information related to insurance coverage for the council, including policies, premiums, and claims data.
  • Audit and Compliance Records - Records related to financial audits, compliance with financial regulations, and internal control assessments.

Shades of blue

Step 6: Be clear on the impact of a cyber attack

Following the cyber attack on Gloucester City Council, the revenue and benefits team was identified as the highest priority to be restored so was given the assistance needed to start making and collecting payments. However, it took longer to resolve issues around arrears.

Managers also lost access to the payroll and financial systems,  which meant they had limited financial oversight or budgeting capability.

The recovery costs from the incident have been estimated at over £1.14m[2].

Figure 2: Example of service impact

A cyber attack may disrupt the processing of financial transactions, affecting payments, payroll processing, and other financial activities.

This can lead to delays in fulfilling financial obligations and negatively impact the council's ability to manage its finances efficiently.

Things to consider:

  1. Which critical services operated by your team rely on internet access? 
  2. Would you be able to make payments, and what would be the impact if not?
  3. Which of these critical services is prioritised to get back online first?
  4. Have you created offline records and plans for use during an attack and ensure all teams have access to them?
  5. What processes do you have in place to protect against attackers who impersonate legitimate suppliers to attempt to divert payments to a bogus account?

 

Figure 3: Example of financial impact

If a cyber attack was to impact your team’s services, it could affect the financial systems that you operate. 

For example, if the payment systems are compromised, it may result in significant financial losses for the council, as parking fines may go uncollected.

Things to consider:

  1. Is there a developed and regularly updated incident response plan that outlines the steps to be taken in the event of a cyber security incident?
  2. Are staff are trained on their roles and responsibilities during a security incident?
  3. Does your current cyber security insurance afford cover to mitigate financial risks associated with potential cyber incidents?

 

Figure 4: Example of data impact

Finance department staff members would be unable to access crucial financial information needed for day-to-day operations. This could include details of budget allocations, expenditure reports, payroll data, and revenue records, causing immediate disruptions.

The availability of data would most certainly be compromised and this is a very common technique by bad actors.

Areas to consider:

  1. Are offline records available for use during a cyber attack?
  2. If you were unable to share data due to a cyber attack at your service, how can you communicate with other agencies such as the National Crime Agency (NCA), The Information Commissioner’s Office (ICO), Payment Card Industry Data Security Standard (PCI-DSS) authorities or the Local Government Association (LGA)?
  3. Discussing these risks with your IT service and other agencies you would need to contact will ensure there is a robust back up system in place.

Shades of blue

Step 7: Be clear on ways to mitigate cyber risks

Table 1: Storing data

Theme Context  Areas to consider
Databases

As your service becomes more digital, systems will need to move online.

To limit vulnerabilities, staff need support to run their devices on the latest available software and to install regular security updates. 

How regularly is software updated?

Who is responsible for update rollout?

How would your service operate without access to databases?

How do you seek assurance that software is up to date?
Cyber security measures Implement cyber security measures on council hardware such as firewalls, antivirus software, and intrusion detection systems to protect against cyber attacks. 

Does all hardware support updated systems?

How often does staff training take place?

 
Devices and networks

Storing and accessing data on personal devices or through a public, unsecure network could create vulnerabilities.

Any data stored in an unsecured way can create vulnerabilities, including data downloaded onto a desktop.

Do staff using personal devices to access sensitive data?

Are all staff in your service aware of potential vulnerabilities exposed by the use of public networks?

How often to staff delete data from their desktop?
Backups

Your service should have suitable, secured backups of essential data that would allow for a quick and prompt recovery of essential services. 

This may include encrypted backups held in a secure off-site environment, removable media in physically secure storage, segregated backups, or appropriate alternative forms.

How often do backups take place?

Where are backups stored?
Are your team aware of how to access backups in case of an attack?

Who has access to backup data?

Which member of your team is responsible for this?

 

Table 2: Managing data

Theme Context   Areas to consider
Handling sensitive data Your directorate is handling critical financial data on a day-to-day basis. Your team must take extra precautions to protect the sensitive information.

Are you aware of all the sensitive data your service holds? 

How are physical notes and recorded stored or destroyed?

What systems are used to store electronic records and information?
Access controls

To ensure any sensitive data is protected, you should implement access controls and restrict access to sensitive information only to authorised personnel. 

Training staff members on secure data handling is essential, and ensure they are aware of their responsibilities in protecting data.

 

Is sensitive information stored and protected in your service? 

Who has access to data storage systems?

How often does you review access?

How often does training take place?

Is multi-factor authentication in use across programmes?
Regular audits

Your service should be conducting regular audits of data management practices to ensure that they comply with relevant regulations and industry standards e.g. the retention of records are complaint within General Data Protection Regulation (GDPR)  timeframes.

Keep track of any changes in data protection laws and update practices accordingly. 

How often do you audit your data management practices?

Who is responsible for organising this audit?

How do you seek assurance that effective audits have taken place?

Data protection laws

 

The UK conforms to GDPR and the Data Protection Act (2018).

It is your obligation to ensure that your team complies with these data protection regulations to protect your services personal data and ensure that the personal data of environmental services is collected, processed, and stored lawfully, fairly, and securely.

Is your team aware of the UK GDPR regulations and how they affect your work?

How often does full staff training take place and not just awareness?

Record keeping

 

 The context of record keeping in this sector involves the creation, maintenance, and preservation of financial records to support effective financial management, decision-making, and regulatory requirements.

How often do your team update records?

How are records stored and updated?

 

Risk management

 

Risk management processes, such as conducting regular risk assessments, implementing appropriate security measures, and developing contingency plans for data breaches, are essential to identify and mitigate potential risks to the security and privacy of data. 

These risks should be added to the departmental risk register and raised to your SMT.

How often do risk assessments take place in your service?

What contingency plans are in place for data breaches?

Are staff aware of data breach processes?

 

 

Table 3: Sharing data

Theme Context  Areas to consider

Collaboration 

 

Different government agencies and departments at various levels (local, regional, national) may be involved in finance management. 

Collaborative efforts may involve the establishment of data standards and protocols to ensure consistency among different datasets. Standardised data formats enable smoother collaboration and data integration.

Who is responsible for data management and sharing in your service?

How often does training take place?

What procedures are in place to ensure effective and secure data sharing between teams and partners?

Do you feel confident that members of your team are safely sharing information?

 
Offline records

When assessing the risks to your service, you should also think about any partner organisations you work with, suppliers and any systems you have external links with. 

Managing offline records in finance is as crucial as managing digital records. Even in this era of digital technology, many councils maintain physical or offline records for various reasons, including legal requirements, historical documentation, and as a backup strategy.

Do you have processes in place for sharing offline information with partners?

What security measures are in place for sharing sensitive information?

 

Table 4: Awareness and training

Theme Context Areas to consider
Positive culture

A positive cyber security culture instils the importance of cyber security and the role every individual has in helping to protect the council. 

It will ensure that staff view cyber security as a business enabler rather than a hindrance and is understood by all councillors and staff. 

A positive culture contributes to the overall effectiveness, efficiency, and ethical conduct of your service.

Does your team speak openly and regularly about cyber security and risk?

Is it discussed at a board level?

How often does your service review the cyber security strategy?

How confident do your team feel with the strategy? 
Awareness

Experience shows that cyber risk to councils does not only come from external sources; employees can often present some of the most significant risks to cyber security. 

By clicking on links in phishing emails, storing sensitive data on personal devices, using unsecured networks, weak passwords or not installing security updates, employees can put your information under serious threat.

Do you understand the awareness levels of cyber security within your team?

How can you ensure cyber risk is pitched correctly for various roles in your service?
Training

Cyber security training should be refreshed regularly. 

As a director you’ll be aware of the high demands on the staff within your service, however this training must be prioritised to reduce the risk of a cyber attack.

 

How often does cyber security training take place in your service?

Is training appropriate for all staff at different technical levels?

 
Reporting In order to create a positive cyber security culture in your service, all staff must be aware of the process of reporting a potential breach and feel confident to do so at all levels.

Do all team members understand the process of reporting a data breach?

Is there a service-wide communication strategy in place to report data breaches? 

What impact would a data breach have on your team?
Workforce A large amount of agency staff may be being used by your service.  How can you integrate cyber secure practices into this temporary and externally managed workforce?

 

Table 5: Supply chain management

Theme Context Areas to consider
Co-ownership

Co-ownership typically refers to the shared rights and responsibilities among multiple stakeholders involved in the finance process.  

These stakeholders can include local government authorities, developers, community groups, local citizens, and other relevant entities.

Do members of your team work closely with other teams during the finance process?

What barriers are in place during this process?

What needs to change in order to streamline this process?
Contract management Your service should consider including specific cyber security requirements and clauses in their contracts with external providers to ensure that security measures are in place throughout the duration of the contract.

Does your service include cyber security requirements within contracts?

How is this measured?
Monitoring and reporting Regular monitoring and assessment of external providers' security practices should be conducted to ensure that they are maintaining a strong security posture.

How would you work with partner organisations if your IT systems were unavailable? 

How would you work with partner organisations if they were experiencing a cyber attack themselves?

 

Table 6: Legislative Implications

Law/ Regulation Cyber security Implications
Local Government Act 1972 The Act doesn't explicitly address cyber security, but councils should ensure that their systems, especially those handling financial information, are secure to prevent unauthorized access, data breaches, and manipulation of financial records.
Local Government Finance Act 1992

Given that the Act outlines principles for local government finance, councils need to secure financial systems to protect council tax and business rates data. 

This includes safeguarding against unauthorised access and ensuring data integrity.
Accounts and Audit Regulations

The regulations emphasise the secure preparation, audit, and publication of local authority accounts. 

Cyber security measures must ensure the integrity of financial data, protect against unauthorised access, and prevent tampering with audit records.
Prudential Code for Capital Finance in Local Authorities To ensure prudential borrowing and capital investment decisions are informed and secure, councils must implement cyber security measures to protect financial data and maintain the confidentiality of sensitive financial strategies.
The Local Authorities (Capital Finance and Accounting) Regulations 2003

Capital finance regulations require secure handling of capital expenditure and financing data. 

Finance officers must implement cyber security measures to protect this financial information from cyber threats.
Code of Practice on Local Authority Accounting

The code provides guidance on financial reporting, necessitating secure financial systems to protect against cyber threats. 

Ensuring the confidentiality and integrity of financial data is crucial for compliance with the code.
Financial Reporting Manual (FReM)

FReM provides guidance on financial reporting within government organisations. 

Cyber security measures are essential to secure financial systems, protect sensitive financial data, and ensure compliance with reporting standards.
Public Contracts Regulations 2015 Cyber security measures are critical to securing procurement systems, protecting financial and personal information exchanged during procurement activities, and preventing fraud or unauthorised access.
Charities Act 2011 (where applicable)

For councils involved in charitable activities, cyber security measures are essential to protect financial information related to charitable funds. 

This includes securing online donation platforms and donor information.
Government Internal Audit Standards (GIAS)

All internal audit functions must operate in a secure environment. 

Cyber security measures are necessary to protect audit data, maintain confidentiality, and prevent unauthorized access to audit reports and findings.
Value for Money (VFM) Framework

Achieving value for money involves considering the cost-effectiveness of cyber security investments. 

Finance officers must ensure that cyber security measures align with the potential financial and reputational consequences of a cyber incident.