Resetting the relationship between local and national government. Read our Local Government White Paper

Building a cyber resilient service: A guide for directors of children’s services

Building a Cyber Resilient Service: A Guide for Directors of Children’s Services
This document aims to support directors and their senior team to develop proactive, protective strategies and capabilities to enhance the cyber resilience of their service; some recommendations are technical, some organisational and some are about your people.

About this guide

Welcome to our guide on 'Building a cyber resilient service: A guide for directors of children’s services'. This document aims to support directors and their senior team to develop proactive, protective strategies and capabilities to enhance the cyber resilience of their service; some recommendations are technical, some organisational and some are about your people. 

We discuss these protective strategies, how they work together, and what would be considered good practice and unsafe practice, so directors can create a positive culture surrounding cyber security in their service and organisation. 

The document is intended to get directors thinking about the intricacies of cyber security in the context of delivering children’s services. It does not seek to produce a single, set blueprint. 

Due to the ever-changing landscape of cyber threats, directors and their senior teams should regularly review their cyber security practices and policies, while also looking at their capacity and capabilities to deal with them.

Shades of blue

Summary

This document aims to support directors of children’s services (DCSs) and their senior team with building the cyber defences of your service and enhancing cyber resilience which will reduce the likelihood of a cyber attack and its impact on your service if, and when, an incident takes place. It will help you as a director consider the risks to your service, the people, data and technology you want to protect and the harms you most want to avoid.

Good cyber security practices are essential for individuals and organisations. The responsibility for cyber security may sit at a corporate level, but each service within a local authority has a part to play in protecting their assets and critical services. Your service will be underpinned by data and technology, which is evolving at speed. These changes create benefits and opportunities – but also risk when it comes to cyber security. Your service needs robust cyber security to safeguard children, young people and their families, including their data, infrastructure, and service delivery.

Shades of blue

Introduction

Cyber security poses a major risk for councils. At least 11 million attempted attacks on UK councils occurred in 2022, with over 10,000 attacks every day [1] (Gallagher, 2022). If, or when, a cyber attack hits your council, it could cause significant disruption. An attack on critical systems could damage the council’s reputation and finances and have a significant impact on its ability to deliver on its priorities and comply with service legal requirements. What is your service doing to reduce cyber risk – to lessen the probability and severity of an attack? Is cyber security something you think about?

This guide for directors of children’s services offers a set of cyber security steps to consider: 

  • Step 1: Be clear on what cyber security means
  • Step 2: Be clear on your cyber security role
  • Step 3: Be clear on the cyber risk to your service
  • Step 4: Be clear on the likelihood of an attack and by whom
  • Step 5: Be clear on why your service may be a target
  • Step 6: Be clear on the impact of a cyber attack
  • Step 7: Be clear on ways to mitigate cyber risks
  • Step 8: Be clear on ways to respond and recover

Shades of blue

Step 1: Be clear on what cyber security means

The National Cyber Security Centre (NCSC) is an organisation of the UK Government that provides advice and support for the public and private sector in how to avoid computer security threats. It defines cyber security as: [2]

How individuals and organisations reduce the risk of cyber attack. Cyber security’s core function is to protect the devices we all use (smartphones, laptops, tablets, and computers), and the services we access – both online and at work – from theft or damage. It’s also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.

The responsibility for cyber security may sit at a corporate level, but ultimately it is the responsibility of each service to protect their assets and critical services. Your service will be underpinned by data and technology, and that technology is evolving at speed. These changes create benefits and opportunities – however, there is also an increased risk in terms of the potential for cyber attacks.  You will need to ensure robust cyber security to safeguard data, infrastructure, and service delivery.[3] 

Shades of blue

Step 2: Be clear on your cyber security role

As someone entrusted to protect and safeguard the welfare of children, cyber security should be considered alongside your statutory role. This means using your role to ensure that clear and effective arrangements are in place to protect children and young people from harm – including harm caused by the loss or misuse of data about them and their families stored, controlled and shared digitally. This is reflected in your duty to provide ‘…a clear and unambiguous line of… professional accountability for children’s wellbeing.’[4] 

you and your senior team should understand the vulnerabilities and threats to your service

When discussing cyber risks, the conversation tends to focus on the role of the IT department. IT teams are there to support the whole workforce, and though they do have a role to play, you and your senior team should understand the vulnerabilities and threats to your service. A cyber attack can and will affect all areas of the council, and it is essential to prepare.

  • 'A vulnerability is a weakness in an IT system that can be exploited by an attacker to deliver a successful attack. They can occur through flaws, features or user error, and attackers will look to exploit any of them, often combining one or more, to achieve their end goal.’[5]
  • Cyber threats are: ‘Anything capable of compromising the security of, or causing harm to, information systems and internet connected devices (to include hardware, software and associated infrastructure), the data on them and the services they provide, primarily by cyber means’.[6]

Shades of blue

Step 3: Be clear on the cyber risks to your service

Cyber security should be covered in the risk assessment for your service area and recorded as part of the corporate risk register. Cyber risk is a business risk consistent with those arising from physical threats – and processes should be in place to facilitate consistent reporting and escalation routes across the council. A fundamental aspect of your cyber risk assessment is to understand the likelihood and impact of an attack affecting your service. This assessment will help you respond through mitigations and minimisation techniques. For this to happen, you need identify what harms your service could withstand in the event of an attack, and what it could not afford to happen.

 It is essential you understand the software, systems and data used as part of your service

The more software, systems and data used as part of your service – the more vulnerability points arise. Also be aware of risks associated with your supply chains and ensure these risks are also managed through your risk assessment process. Vulnerabilities, opportunities or weaknesses in your information systems and internal controls can lead to security breaches if exploited. It is essential you understand the software, systems and data used as part of your service – including shadow IT [7] – and that you work with your IT service to gain assurances about security updates.  Putting in place a good vulnerability management process can help you understand which ones are most serious and need addressing first. [8]

There may also be high turnover of staff in your increasingly busy service area. With a large number of joiners, movers and leavers, this creates further vulnerabilities and there may be a risk that individuals have access to systems or information that they no longer require as responsibilities, management and accesses change often. It is important to have robust processes in place to manage this.


[7] The term ‘shadow IT’ (also known as ‘grey IT’) refers to the unknown assets that are used within an organisation for business purposes. Since these are not accounted for by asset management, nor aligned with corporate IT processes or policy, they’re a risk to your organisation.  NCSC - www.ncsc.gov.uk/guidance/shadow-it

Shades of blue

Step 4: Be clear on the likelihood of an attack and by whom

Robert Mueller, Former Director of the FBI, is on record as saying:[9]

I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.

The UK government has identified ransomware attacks as the most significant cyber threat facing the country; and criminals are developing new techniques to circumvent cyber defences, including targeting the users of technology, as well as the technology itself.[10] It is therefore sensible to assume you will be effected by a cyber incident at some point and should push back on the narrative that an attack is unlikely. Your plans should reflect this reality too.

Shades of blue

Step 5: Be clear on why your service may be targeted

Consider the three categories of harm caused by a cyber attack: getting robbed (stealing cash, data or intellectual property), getting weakened (espionage, political interference or prepositioning) and getting hurt (ransomware and destructive or catastrophic attacks).[11] Which of these motivations is most relevant to your service? 

Think about:

  • What assets do you have that make your service vulnerable to a cyber attack? Is data theft at the top of this list? All councils manage data of interest to malicious actors, making them a target.

Children’s services teams are supported by a huge amount of data. This will include, for example, data on children looked after, child protection, special educational needs and disability, pupil attainment, children’s health, and post-16 circumstances and judgements from Ofsted (see Figure 1). This amount and type of data makes your service vulnerable to cyber attacks. Attackers may be looking to extort data for resale on the Dark Web, and you will be particularly vulnerable to extortion from criminals who recognise the criticality of this data for services to continue to run. Cyber security is vital to ensuring that data is secure.


[11] Ciaran Martin, 2020. ‘Cyber Attacks: What actual harm do they do?’ RUSI.

Figure 1: Commonly held children’s services data

  • Personal details – Names, addresses, gender, dates of birth, and contact details for the child and their parents or carers.
  • Contact details – Name and contact details of any person with parental responsibility, or who has care of a child at any time. 
  • Education data – Unique Pupil Number (UPN), details of any education being received by a child, including the name and contact details of any educational institution they attended.
  • Health data – NHS number, name and contact details of any person providing primary medical services in relation to a child. 
  • Social care data – Child-level data, information about any safeguarding concerns, child protection plans, and any involvement with children’s social care services.
  • Early years data – Information about a child’s development and progress in early years settings such as nurseries or childminders.
  • Youth services data –Information about a child’s participation in youth services and any support they receive.
  • Adoption and fostering data –  Information about children who have been adopted or placed in foster care, as well as information about prospective adoptive or foster parents.
  • Legal data – Information about any court orders or legal proceedings related to the child.

Shades of blue

Step 6: Be clear on the impact of a cyber attack

In 2020, Hackney Council was the victim of an extremely disruptive ransomware attack which affected all systems and services including critical services such as social care, waste collection, benefits payments and housing – many ran using in-house systems. Two years after the initial attack, the council remained in recovery mode, with some IT systems still in the process of remediation, while some data was completely lost. The attack cost the council approximately £12 million.

In March 2023, Capita, which runs services for many local authorities was the victim of a cyber attack causing a significant IT outage at the organisation. Following the attack, Capita was found to have been storing client data in an unsecured AWS bucket. Seven local authorities were among the organisations affected by the attack, which exposed potentially sensitive data and caused some services to come to a halt.[12] The attack garnered much media attention and exposed the supply chain risk experienced by all councils. 


[12] Adur District Council, Colchester City Council, Coventry City Council, Derby City Council, Rochford District Council, South Staffordshire and Worthing Borough Council.

Figure 2: Example of service impact

Consider how the situation below would affect you and you and your team, and begin to answer the questions that follow.

During a cyber attack, you and your team may have no access to the internet or networks. You need to consider how the loss of internet access might affect your critical services, and how you could keep them running – you may need alternative manual processes in place to keep a skeleton service operational. Your requirements to keep your service functional should be analysed, solutions designed and documented in your service’s business continuity plan. 

Prior to an incident, you should work with your IT team to prioritise the most important systems. This will assist your IT team if response and recovery is needed in the future. Similarly, identify where processes are dependent on other internal and external systems being available. Simply restoring one system in isolation will not be sufficient to allow a service to start operating after an attack.

Always work in partnership with your IT team if you are making any changes to your service. This could include new information sharing agreements, procuring new systems, or changes to processes. Cyber security and IT implications should be factored into all these decisions.

For further guidance on effective cross working with IT, please read Must Know: Children's services guide to effective cross- council working.

Things to consider:

  1. Which services operated by your team rely on internet access?
  2. Which services should be prioritised for recovery? 
  3. Have you created offline records and plans for use during an attack and ensured all teams have access to them?
  4. How would you continue to be able to manage referrals, undertake risk assessments, work with multi-agency partners and protect vulnerable children if your systems or data were unavailable for a prolonged period of time?

Figure 3: Example of financial impact

Consider how the situation below would affect you and you and your team, and begin to answer the questions that follow.

If a cyber attack was to impact your services, it could affect the financial systems that you operate. For example, if the system responsible for foster carer payments or direct payments was unavailable, you may not be able to make payments on time. 

Things to consider:

  1. Does your team have an offline record of payments to be made?
  2. How would you ensure carers, benefit receivers and other payees receive their payments regularly, if the payment system was unavailable? 
  3. What additional safeguarding concerns would be created if vulnerable families had not received essential payments? 
  4. Have you discussed these risks with your finance team to ensure that financial impacts are included in yours and their continuity plans?

Figure 4: Example of data impact

Consider how the situation below would affect you and you and your team, and begin to answer the questions that follow.

The Child Protection Information Sharing (CPIS) integrations with the NHS should also be considered as this provides the NHS with vital information about vulnerable children. 

Areas to consider:

  1. Are offline records available for use during a cyber attack?
  2. If you were unable to share this data due to a cyber attack at your council or at the NHS, how could you continue to share information securely to protect the most vulnerable children? 
  3. Have you discussed these risks with your IT service and the NHS’s IT service to ensure there are robust backup systems in place?

Shades of blue

Step 7: Be clear on ways to mitigate cyber risks

Cyber risks cannot be completely eradicated, but risks can be significantly minimised through planning for such an event, and also by developing a strong cyber security culture in your team. This includes putting in place strong data management systems to safely collect, share and store information about children and young people. For example, following best practice on managing the technical specifications and security or your databases.

Here are some considerations for mitigating the risks posed to information and data within children’s services:

Tables 1 to 5 present some considerations for mitigating the risks posed to information and data within children’s services.

Table 1: Storing data

Theme Context Areas to consider
Databases

As your service becomes more digital, systems will need to move online. Examples of these systems include Mosaic, Liquid Logic, Python, and more. To limit vulnerabilities, staff need support to run their devices on the latest available software and to install regular security updates.

 

The widescale practice of data linking will be a particular vulnerability for your service.

How regularly is software updated?

Who is responsible for update rollouts?

How would your service operate without access to databases?

How do you seek assurance that software is up to date?

How is the golden record protected against data linking vulnerabilities?

Cyber security measures Implement cyber security measures on council hardware such as firewalls, antivirus software and intrusion detection systems to protect against cyber attacks.

Does all hardware support and run updated systems?

How often does staff training take place?

 

Devices and networks

Storing and accessing data on personal devices or through a public, unsecure network could create vulnerabilities.

Any data stored in an unsecured way can create vulnerabilities, including data downloaded onto a desktop.

Are staff using personal devices to access sensitive data?

Are all staff in your service aware of potential vulnerabilities exposed by the use of public networks?

How often to staff delete downloaded data from their desktop?

Backups Your service should have suitable, secured backups of essential data that would allow for a quick and prompt recovery of essential services. This may include encrypted backups held in a secure off-site environment, removable media in physically secure storage, segregated backups, or appropriate alternative forms.

How often do backups take place, are backups tested?

Where are backups stored?

Who has access to backup data?

Which member of your team is responsible for this?

Discuss with IT, or the system supplier, what your back up arrangements are, know the detail. 

Have a Business Continuity plan (BCP) which does not rely on backups.

Don't assume IT are backing up all data. Understand what is backed up and what is not. 

Table 2: Managing data

For more information about secure data management and security, please read Working Together to Safeguard Children 2018.
Theme Context  Areas to consider

Handling sensitive data

 

Due to the nature of the work your service delivers, your team will be handling sensitive data on a day-to-day basis, both electronically and physically. Your team must take extra precautions to protect the sensitive information outlined above.

Are you aware of all the sensitive data your service holds? 

How are physical notes and recorded stored or destroyed?

What systems are used to store electronic records and information?

Access controls

 

To ensure sensitive data is protected, you should implement access controls and restrict access to sensitive information only to authorised personnel. Training staff members on secure data handling is essential, and ensure they are aware of their responsibilities in protecting children’s data.

How is sensitive information stored in your service? 

How is it protected?

Who has access to data storage systems?

How often does your team review accesses?

How often does training take place?

How often are passwords changed?

Is multi-factor authentication in use?

Regular audits Your service should conduct regular audits of data management practices to ensure that they comply with relevant regulations and industry standards, e.g., ensuring data is only held for a relevant amount of time or is stored in the correct system. Keep track of any changes in data protection laws and update practices accordingly.

How often do you audit your data management practices?

Who is responsible for organising this audit?

How do you seek assurance that effective audits have taken place?

Data protection regulations

 

In the UK, we operate within legal regulations for data management, mainly General Data Protection Regulation (GDPR). It is your obligation to ensure that your team complies with these data protection regulations to protect children’s personal data and ensure that the personal data of children and their families is collected, processed, and stored lawfully, fairly, and securely.

Is your team aware of the UK GDPR regulations and how they affect their work?

How often does staff training take place on data protection?

Record keeping

 

Accurate and up-to-date record keeping is essential in children’s services to ensure that important information about children and their families is available when needed. Records should be kept securely and in accordance with relevant legislation, and regular audits should be carried out to ensure the accuracy and completeness of the records.

How often does your team update records?

How are records stored and updated?

Risk management

 

Risk management processes, such as conducting regular risk assessments, implementing appropriate security measures, and developing contingency plans for data breaches, are essential to identify and mitigate potential risks to the security and privacy of children’s data. These risks should be added to the corporate risk register and raised to SMT.

How often do risk assessments take place in your service?

What contingency plans are in place for data breaches?

Are staff aware of data breach processes?

Table 3: Sharing data

For more information about secure data sharing and safeguarding, please read A 10 step guide to sharing information to safeguard children.
Theme Context  Areas to consider

Collaboration and safeguarding

 

Sharing information enables practitioners and agencies to identify and provide appropriate services that safeguard and promote the welfare of children.

 

However, information sharing must be done in accordance with relevant legislation, such as the Children Act 2004, and must ensure that the privacy and confidentiality of the children and their families is maintained. 

 

Effective information governance practices, such as assigning responsibility for data management (Data Protection Officer), providing training on data protection and confidentiality, and implementing secure IT systems and procedures, are essential to ensure that data is managed securely and appropriately. 

 

You should also have a data protection framework in place to help you share information.

Who is responsible for data management and sharing in your service?

How often does training take place?

What procedures are in place to ensure effective and secure data sharing between teams and partners?

Do you feel confident that information is being shared safely by members of your team?

Child-level data You may be asked to share child-level information as part of an inspection of local authority children’s services (ILACS). Ofsted provides guidance for correct and secure sharing of this data set.

Is your team aware of the sort of data it may be asked to share with Ofsted?


How do you gain assurance this is being handled correctly?

Consent

 

As set out in the Data Protection Act 2018, you do not need to seek consent before collecting, processing, or sharing information regarding children who may be at risk. It is, however, considered to be good practice to inform a parent or carer when sharing data. 

You must also be clear about your purpose for sharing information.

Are all staff aware of consent regulations?

Is your team clear on when it needs to gain consent for sharing data?

Offline records

When assessing the risks to your service, you should also think about any partner organisations you work with, suppliers and any systems you have external links with. 

 

You will need to have a robust and prearranged process in place for sharing information securely, so nothing is shared inadvertently. In addition to this, most IT systems will have a process in place for restricting sensitive records (like post-adoption records or children who are related to staff members) but if you are working offline then you’ll need to consider additional security measures for these cases.

Do you have processes in place for sharing offline information with partners?

What security measures are in place for sharing sensitive information?

Table 4: Awareness and training

Theme Context Areas to consider
Positive culture A positive cyber security culture instils the importance of cyber security and the role every individual has in helping to protect the council. It will ensure that staff view cyber security as a business enabler rather than a hindrance and is understood by councillors and staff.

Does your team speak openly and regularly about cyber security and risk?

How often does your service review the cyber security strategy?

How confident do your team feel with the strategy?

Awareness Experience shows that cyber risk to councils does not only come from external sources; employees can often present some of the most significant risks to cyber security. By clicking on links in phishing emails, storing sensitive data on personal devices, using unsecured networks, weak passwords or not installing security updates, employees can put your information under serious threat.

Do you understand the awareness levels of cyber security within your team?

How can you ensure cyber risk is pitched correctly for various roles in your service?

Training Cyber security training should be refreshed regularly. As a DCS, you’ll be aware of the high demands on the staff within children’s services, however, this training must be prioritised to reduce the risk of a cyber attack as human error caused 90 per cent of cyber data breaches in 2019, according to analysis of data from the UK Information Commissioner’s Office (ICO) carried out by CybSafe .[13]

How often does cyber security training take place in your service?

Is training appropriate for all staff at different technical levels?

Reporting In order to create a positive cyber security culture in your service, all staff must be aware of the process of reporting a potential breach and feel confident to do so at all levels.

Do all team members understand the process of reporting a data breach?

Is there a communication strategy in place to report data breaches to the affected families? 

What impact would a data breach have on your team’s safeguarding and GDPR practices?

Workforce A large amount of agency staff may be being used by your service and in the supply chain. How can you integrate cyber secure practices into this temporary and externally managed workforce?

Table 5: Supply chain management

Theme Context Areas to consider
Co-ownership Procurement practices should be co-owned by IT, procurement and children’s services, which will ensure that products are understood from a business and technical perspective.

Do members of your team work closely with other teams during the procurement process?

What barriers are in place during this process?

What needs to change in order to streamline this process?

Procurement Your service should take steps to ensure that external providers are subject to rigorous procurement processes that assess their security controls and measures. This may include assessing their security policies, performing security audits, and ensuring that they comply with relevant security standards and regulations.

Does your service consider cyber security during the procurement process?

How do you seek assurance that this has taken place?

Contract management Your service should consider including specific cyber security requirements and clauses in its contracts with external providers to ensure that security measures are in place throughout the duration of the contract.

Does your service include cyber security requirements within contracts?

How is this measured?

Monitoring and reporting Regular monitoring and assessment of external providers’ security practices should be conducted to ensure that they are maintaining a strong security posture.

How would you work with partner organisations if your IT systems were unavailable? 

How would you work with partner organisations if they were experiencing a cyber attack themselves?

Shades of blue

Step 8: Be clear on ways to respond and recover

Planning

As a DCS, how confident are you that your service could adequately respond to and recover from a cyber incident or unplanned disruption? You will likely already be feeding into a BCP on a corporate level – and it is also important to maintain a BCP tailored for your service that provides clear actions on managing a cyber attack.

We would strongly advise against publishing this online – it is a threat actors dream to see what your response to a cyber attack is and how it will be managed.

Working offline

The first step taken by your IT service in the event of a cyber attack is likely to be taking down all IT services and disabling access to any systems while the cause and impact is identified. The IT team would then focus on preventing further damage, recovering systems, restoring backups, managing access and so on. During this time, there would likely be no access to IT services.

Areas to consider:

  • Is there a clear plan setting out how your service would cope with no IT access for a significant period – sometimes stretching to weeks or even months?
  • How would your team cope without access to the necessary case recording system? What about managing new referrals? 
  • How would you ensure staff safety without access to case warnings such as ‘do not visit alone’ and ‘do not share this information’?

These are crucial questions to ask – and should be part of a regular cycle of reviewing and testing. Encourage your team to regularly consider how they could continue to provide essential services to children and young people if recording systems were unavailable, or all IT access was suspended?

Communication

If your service is the victim of a cyber attack, how would you communicate with colleagues, partners, residents and wider stakeholders? How would you do this if a cyber attack prevented you from accessing your usual communication methods (emails, MS Teams and so on)? Do you have an offline communication plan to support you in updating internally and externally? This may include using WhatsApp groups (which would need a full DPIA), posts on social media or phone calls – which means you will need access to contact details that are updated regularly and stored securely offline. Reviewing your plan with your corporate communications team will ensure a consistent approach across the council and reduce the pressure on the IT service to provide updates while managing a cyber incident.

Areas to consider:

  • Do your staff understand how to report a cyber attack, and to whom?
  • How will your staff communicate without access to IT or the internet?
  • Is there a communications plan in place to help with response to media requests or questions from residents?
  • Do you know where to report a cyber attack e.g., NCSC, LGA, police etc.?

Staff wellbeing

During a cyber attack, there may be an increased level of stress and responsibility on staff due to increased workload, concern for children and their families, and pressure from the media. It is crucial to make sure there are systems in place to support staff through this time. Focusing on these sorts of questions will help to promote a positive cyber security culture in your service area. 

Out-of-hours

Is your service supported by out-of-hours social care support teams based at other locations or authorities? You may be clear on the response plans of your authority, but do you know how these work across shared working environments? What plans are in place, for example, if your out-of-hours service was unable to access the necessary case recording system? How would they perform checks on protective measures put in place to protect a child, or processes put in place to support a child’s care plan?

Shades of blue

Conclusion

Cyber security is a constantly evolving threat. It will be impossible to fully prevent and protect the services you provide for children and families from a cyber attack, however, the potential for harm is great so we must be vigilant.  

Your IT team should have robust processes in place to prevent as many attacks as possible, but it’s important for every member of your children’s services to take a proactive approach to cyber security. 

As explained in this guide, this means as a Director of Children’s Service, being clear on:

  • What cyber security means
  • Your cyber security role
  • The cyber risk to your service
  • The likelihood of an attack and by whom
  • Why your service may be a target
  • The impact of a cyber attack
  • Ways to mitigate cyber risks and ways to respond and recover.