The latest Big Brother Watch report has found that more than 25% of UK councils have had their computer systems breached in the past five years. The report found 114 councils had experience at least one incident between 2013 and 2017 which was based on Freedom of Information requests. The data all reported that the number of cyber-attacks on local authorities, which hold the data of millions of residents, at 98 million between 2013 and 2017. This amounts to 37 attacks every minute. IT Security experts commented below.
Paul Edon, Director at Tripwire:
“The truth of the matter is that many organisations, not just councils, remain unprepared for a cyber attack. It’s difficult to prepare for something you don’t understand, can’t visualize, and haven’t experienced.
You would have hoped that the devastation caused by NotPetya and WannaCry would have triggered an instant reaction for organisations to get their security in order. This isn’t the case.
To get security right, organisations need to get the basics right. Start by understanding the risk you have. You must conduct regular, preferably continuous, assessments of configuration and vulnerability risk across your IT systems. Then ensure systems are regularly patched and upgraded.
Following these basic security hygiene rules will go a long way to making your systems secure and the attackers’ job more difficult.”
Javvad Malik, Security Advocate at AlienVault:
It’s not surprising to hear of any company, government office or council being attacked. If a system is online, it will likely be attacked or probed in some way or another. However, it is important that these councils, and indeed enterprises of all sizes are prepared with not only defensive controls, but have in place good monitoring in order to be able to detect where a breach may have occurred, so that appropriate response measures can be taken.
Staff training should also not be overlooked, particularly as the deadline for GDPR looms close and any breaches of personal information will be scrutinized more closely.
Patrick Hunter, Director at One Identity:
“There is a war on and it seems that the public are mostly oblivious to the attackers. There are millions of cyber-attacks in the UK each month and most are simple port scans, phish attempts or similar automated “chancers”. When articles like these are published we’re supposed to be shocked and dismayed at the poor level or protection put in place by our councils.
They are going to be the hardest hit, always. They are the keepers of much of our personal data and also, sadly, they are the imitated to try and fool the general public into clicking things that they shouldn’t. We only have to look at the funding and spend on public sector security to know that they are on the case but keeping up with a determined hacker is always going to be hard. This is true even in the private sector.
The UK government formed the National Cyber Security Centre in 2016 and formed from GCHQ. They know what is coming and they are keeping pace as much as they can.
The councils have confirmed that there has been data loss and yet again, we can all see that it is the human aspect that has let them down. They know they need more training and they need to work with the NCSC to get the best protection our personal data an get. Let’s hope they get on and fix that final aspect of security – us, the people.”
Dr Anton Grashion, Managing Director, Security Practice at Cylance:
“Rightly or wrongly, cyber criminals must think local authorities are a fairly soft target, especially if they keep being successful. These authorities hold extremely sensitive personal information, and are suffering under a deluge of competing advice and promises of security that serially fail to deliver the levels of security they promise.
Education would be a great place to start, but having predictive prevention to stop the ingress of malicious software and viruses in the first place would seem to be a logical first step. Chasing the problem into the network once a payload has been delivered just adds to the workload and budget of over stressed IT departments.”
Anthony Chadd, Senior Director, EMEA at Neustar:
“In today’s political and economic climate, local governments are under increasing pressure to deliver first-class services against the backdrop of reduced funding, increasing demands and – now – the growing threat of a crippling cyber-attack.
“As the guardians of millions of citizens’ personal information – and with less than 100 days until the GDPR comes into force – ensuring robust data security has never been more critical. From protecting against DDoS attacks to encrypting mission-critical data and IP, local governments across the country must ensure cyber-security is at the heart of their digital transformation strategies.”
Stephen Burke, Founder & CEO at Cyber Risk Aware:
“It’s concerning that a large proportion of councils are not providing mandatory cyber-security training – and some are not providing any at all. Employees are on the front line when it comes to safeguarding data and it only takes one person to click on a malicious link to place the security of the entire organisation at risk.
The role of staff awareness and education is particularly significant with the EU GDPR set to come into force. It’s more important than ever for all organisations to take measures to educate staff on the basics of good cyber security, from how to spot potential phishing emails to how to report anything that doesn’t look genuine. Through regular simulated attacks on staff, it maintains a very high level of awareness because at an emotional level, people don’t like feeling they have been caught out and therefore try hard not to feel that way again. It has the great effect of rapidly reducing the risk of a user falling victim to a phishing email”
Joseph Carson, Chief Security Scientist at Thycotic:
“Cyber security is quickly becoming part of everyone’s daily life and can no longer be separated between personal and work life. In the past, cyber-attacks were a thing that were only a concern for the workplace, though today, that is no longer the situation and cyber-attacks are more common and affect everyone connected to the internet. Cyber-attacks are going to be the biggest threat to everyone and business on earth and will be the trigger for future wars and political instability.
This is not surprising at all, with shrinking budgets and most councils struggling just to keep the lights on, cybersecurity is surely the last thing on their mind, especially when they have to decide whether to hire vital staff or choose on upgrading software to keep them patched with the latest security updates. Just like many organisations the focus is on the business and if cybersecurity is not adding value then it is a cost and for most, they are willing to sacrifice being the victim of a cyber-attack versus letting staff go. So, the news that many councils have been breached in the past five years is not surprising and that cybercriminals are targeting employees stealing passwords, compromising accounts to bypass security controls is a challenge most organisations are facing globally and not unique to the UK.
People are the number one target and cause of cybersecurity failures because most of them are trusting individuals who want to help, or contribute, as part of human nature and their jobs. Hackers and malicious insiders take advantage of that trust by appearing to make legitimate business requests from bosses or sharing social items of a more personalised nature. They’re counting on peoples’ curiosity and willingness to cooperate to get them to “click on the link” in a business or personal email.
One single click on a malicious link, however, can download malware onto your computer that can immediately lock up data in a “ransomware” attack, and often, you have to send money to regain access. Or, the downloaded malware can, unbeknown to the user, begin instantly collecting information aimed at gaining credentials and passwords for exploiting later. While many of these actions by humans are accidental or not intended to be harmful, the result can cause considerable damage to themselves, their family, their co-workers, their company, and their community.
Hackers are specifically looking to steal your username and password credentials so they can access your information and impersonate as you. And, when your identity is stolen, an attacker can easily bypass the traditional technical security perimeter controls without being detected. Once inside the computer network, cybercriminals can carry out malicious attacks or access and steal confidential information by posing as a legitimate user.
A compromised personal account can easily lead a hacker to discover enough information about you to make hacking your business email so much easier. As the line between business and personal Internet use continues to blur, every employee must contribute in protecting information assets at work and at home.”