By Geoff Connell, Socitm president and CIO at Norfolk County Council
At a time when the news suggests the criminals are ahead in the cyber security race, we cannot afford to be complacent in our approach to protecting our information assets.
This is particularly when budgetary pressures and modern service delivery methods see us move more of our transactions online, interact with our residents and local business over the internet, exploit cloud services and work in increasingly complex partnership arrangements.
The cyber threat opportunities are increasing and we need to understand the changes and take appropriate action.
Whilst we continue to invest in technology, it is our people that are our greatest asset, and ironically our greatest vulnerability. We must be proactive with our awareness raising and training. Throughout our organisations we need to encourage a culture which recognises the importance of protecting information and an understanding of the risks and mitigating actions they can take.
In order to protect our vital and sensitive information we should maintain a detailed information asset register, implement a good information governance with an appointed lead for information risk management. We need to define and understand the organisation's risk appetite and use this understanding to determine the areas where investments in technology, policy changes and training will deliver the highest value to protect the organisation.
No guarantees
Being resilient to cyber attacks and incidents will become an increasing priority as there are no guarantees that our defences will not be breached at some point. We can prepare by conducting regular cyber exercises that need not be technically sophisticated, but do need to focus on working together to solve problems and respond to incidents.
Good incident response and management will improve organisations' reaction time to deal with incidents, saving time and money in providing an efficient and effective recovery from cyber attacks and breaches of information security.
The General Data Protection Regulation (GDPR), will come into effect from May 2018. Organisations need to prepare now, by strengthening their governance, ensuring they have appropriately qualified expertise available and by reviewing internal processes. Staff training and testing will be even more important, as will effective incident management and response.
Hygiene impact
Cyber hygiene - getting the basics right - will have the biggest immediate impact. Keep the approach to cyber resilience simple, understandable and measurable: the local public services mantra of 'simplify, standardise and share' applies to cyber resilience. Good awareness raising, training and response will take an organisation a long way.
There must be board level leadership and scrutiny. This is a corporate issue, to protect the information and personal data we hold. Criminals need not keep the upper hand, if we all work towards simple cyber hygiene, work together and support each other.
On that note, I welcome the focus in the 2016-21 National Cyber Security Strategy and the creation of the National Cyber Security Centre as reflecting the importance of the topic, the need for funding, and the capacity to help the public sector keep safe and secure in this increasingly digital, connected, online world.
This article was first published in Local Leadership in a Cyber Society: Being Resilient by the DCLG led National Cyber Security Programme - Local and iNetwork. Read the other featured articles.
