Five easy wins to strengthen cyber resilience in local government

Getting ready for the UK Cyber Security and Resilience

Renata Vincoletto, CISO, Civica

Citizens may begin to notice that something is up when they try to access their local council’s website to check on their housing benefit application, pay their council tax, report a stolen bin, find out dates for the school holidays or access any other public service, only to discover the message: ‘This site is currently unavailable’.

Meanwhile, council staff begin their working day but are unable to log in to their emails, open their case load, share information that has been requested by the police or the NHS, or respond to urgent public enquiries.

A cyber attack on a local authority has the potential to cause mass disruption to critical services. It also brings risk of financial losses or the loss of extremely sensitive citizen data.

Forthcoming legislation in the shape of the Cyber Security and Resilience Bill has been designed to strengthen and modernise UK cyber defences to protect essential services, critical infrastructure and digital services. It focuses on improving incident response and reporting, expanding resilience standards to include the supply chain, cloud services and managed service providers, and give regulators a clear enforcement power.

However, strengthening cyber resilience in local government should not be dependent on legislation.

Here I’ve picked out five easy wins that will make an immediate difference to improving security posture and protecting councils from attacks.

1. Employ a third-party continuous monitoring tool

We are all co-dependent in the cyber world. If there is a breach in one place, chances are that lots of parties elsewhere in the chain are going to be affected.

In local government, this encompasses outsourced services ranging from IT and HR platforms to buildings maintenance, social care systems and revenue collections. It’s a complex ecosystem of suppliers, contractors and cloud providers that councils need to be able to trust.

In the past, having visibility over the security posture of the entire supplier network has been challenging, often relying only on an annual questionnaire. However, technology now enables the move to continuous monitoring and far greater visibility.

There is increasing take-up among local authorities for continuous monitoring tools in which organisations in the supply chain share up-to-date security compliance details and credentials in one place. Continuous monitoring should complement, not replace, due diligence - helping councils focus assurance efforts where risk is highest.

Automated risk ratings, attack surface scanning and vendor risk dashboards help map the landscape while real-time updates on emerging threats, expired certificates, exposed services and data breaches provide full risk oversight. This even extends to 4th parties – the suppliers of your suppliers - so that any weak links, risks or breaches further down the chain that could have an impact can be identified early.

2. Subscribe to Threat Intelligence Feeds

Knowledge sharing is one of the greatest tools in cyber security. There is a community of experts that monitor the dark web and look out for any movement that could spell danger for particular sectors, including local government.

Subscribing to threat intelligence feeds is a way to keep abreast of their findings and gain early warnings of emerging tactics, ransomware campaigns, credential leaks or sector-specific malware that could pose a threat.

There are many feeds and newsletters available, such as the National Cyber Security Centre (NCSC)’s Early Warning Service or via the Cyber Security Information Sharing Partnership. Some of them are free, but the most comprehensive feeds are usually paid services.

Of course, the real value comes from acting on the intelligence. Indicators of compromise should be fed into intrusion detection systems, while intelligence should shape patching priorities and risk assessments. For resource-constrained councils, sharing analysis with partner councils in Combined Authorities or Security Operations Centres (SOCs) can help stretch scarce expertise.

3. Engage with your regional cyber cluster

Throughout the UK there are regional cyber clusters supported by the Department for Digital, Culture, Media and Sport (DCMS) and the UK Cyber Cluster Collaboration, known as UKC3.

They provide spaces where councils can share incident indicators, collaborate on training and even coordinate mutual aid during crises. There are lots of free events and services available, so get involved. They can also open access to local university talent pipelines and cyber start-ups.

Engaging in these communities can directly help address the skills and resource gaps that are otherwise a major barrier to resilience. Collaboration like this is one of the strongest force multipliers available to local authorities, so it’s important to remember that you are never facing cyber resilience alone.

4. Establish best practice in incident reporting

Reporting can be complicated, especially when there are several different bodies to contact depending on the type of breach, from the NCSC to the Information Commissioner’s Office. Creating a more streamlined approach with a single reporting channel would be beneficial to smaller organisations and those with limited budgets, but that is perhaps something for the future.

Still, the new resilience bill is likely to impose stricter rules on incident reporting, with tighter timeframes and clearer requirements for follow-up action. Right now, many councils have patchy or manual incident reporting processes that make it hard to see patterns or demonstrate compliance.

It is time to try and standardise and automate reporting – defining what counts as an incident, setting SLAs for escalation and embedding reporting templates into service desk workflows. Aligning with the NCSC’s Cyber Incident Response framework is a great starting point, as there are lots of free tools there that can help you manage successful incident reporting.

5. Assume Breach

Finally, it’s important to remember that cyber security is a continuous learning process. We will never be perfect or achieve an end-target. As such, the best mindset is to always assume that you have either been breached already or that it will happen imminently.

This will help you to focus on being vigilant in continually testing all possible entry points. It will also mean that you will not be surprised or unprepared when something does happen.

Even well-defended organisations are compromised. It can come in the form of a seemingly innocuous email attachment that catches someone off-guard and leads to malicious software entering your network and shutting down essential systems.

Unfortunately, with councils being prime targets for ransomware and fraud, it is inevitable that there will be attempts to break through. Set up the above practices and work with staff to embed the behaviours that will improve your cyber resilience.

Cyber resilience is not a single project or policy - it’s a culture of preparedness. Every small step taken today reduces the impact of tomorrow’s inevitable attack.