The Local Government Association (LGA) is planning to run a penetration testing project to help develop the cyber security capabilities of councils around England.
It is one of a series of measures that also includes the development of cyber standards with a maturity framework and awareness package.
Jamie Cross (pictured), cyber security advisor for the LGA, outlined the plans at UKAuthority’s virtual Cyber4Good conference yesterday. They are the latest step in the organisation’s effort to boost cyber security in the sector that was given impetus by its stocktake of councils’ capabilities in 2018-19.
He said the penetration testing programme will involve 10% of England’s councils and that 32 of the necessary 34 have already been recruited for a free test. The LGA has chosen a variety of local authorities with the aim of developing a comprehensive understanding of possible cyber vulnerabilities in the sector.
“We’ll be looking to extrapolate that data, and to understand qualitatively what we need to do and have a quantitative figure on costs,” Cross said.
Other ambitions include the development of cyber standards with an associated maturity framework, the purchasing of a cyber awareness raising package, an effort to build up systematic peer-to-peer support for councils and a review of incident management practices. There is also a plan to further develop the cyber self-assessment tool for councils released late last year.
On a broad front, the LGA is aiming to gain a better understanding of the comprehensive attack picture for local authorities.
“One of most difficult things on this list is understanding attack picture,” Cross said. “At the moment we don’t have comprehensive understanding, but overall the main challenge is how do with this together with government departments and the private and third sectors to make sure this is a whole systems approach, and not just a local government one.”
He emphasised the importance of a whole systems approach, taking in the cyber resilience aspects of local authorities’ interactions with central government and other third parties, and the three strands of people, processes and technology.
“That means making sure that everything we do going forwards, whatever our strategy is, is inclusive of all those overlaps and ultimately makes it easier for private citizens to navigate the digital world securely,” he said.
“Whether that’s claiming revs and bens, getting social care for an elderly parent or just booking a waste collection, whether it interacts with central government or a third party provider, if it’s to do with a local government service we need to make sure we are thinking in terms of whole systems.”