Local authorities have been taking cyber security seriously for years, but Siobhan Coughlan and Helen Reeves of the Local Government Association (LGA) see a couple of trends changing the risk profile and are aiming to push it higher up the agenda for senior officials and elected members.
One is the industrialisation of cyber attacks, with the use of bots and malware to hit weaknesses in organisations’ cyber defences. The other is that councils are building more extensive chains of digital interactions both for citizens and their workforce, and while that can deliver better services it also creates more potential targets.
They also worry that the issue has often been left to IT specialists, and as a result not always making the board level discussions. This has prompted the LGA’s ‘stocktake’ of cyber security arrangements in English local government, which involves councils responding to a questionnaire aimed at providing an evidence base to push it up the agenda and work out what steps are needed for improvement, both on a broad level and for some individual councils.
“One of the things we’re trying to do at the LGA is to get this on the agenda at the corporate level, so it’s not just the responsibility of the IT community but everybody’s,” Coughlan says. “So whether you are a member of staff or elected member using a device in or outside the office to access council systems, you have responsibility for working safely and for not putting sensitive information at risk.
“It’s the same as if you are a director of a service area that uses confidential information; you have to be responsible for it in terms of the questions you ask of your IT colleagues to ensure it is stored safely and only the right people are accessing it.”
The stocktake will use some of the £1.5 million the Government recently provided to the LGA to support improvements in councils’ cyber security. It has written to the chief executive of every council, asking them to nominate an individual to be responsible for the response. Where provided, each nominated individual has been sent a link and unique password for their council, otherwise this has gone to the chief executive by default.
Programme manager Coughlan (left in picture) and adviser Reeves say they have already received a number of responses, are aware that plenty of other councils are working on it and want everyone to fill in the questionnaire before the 31 August deadline. They also emphasise that all of the data will be dealt with confidentially and securely, they will only share high-level analysis of the findings and no information about any individual council will be made public. All the data will deleted by the research company after the exercise.
They believe that most councils have robust protection in place, but it may not be given the same attention at higher levels than other resilience plans.
“Part of the challenge is not just getting to protect those things, but to understand if the worst did happen what the risks and consequences could be and having to plan ahead for that,” says Reeves.
“Lots of councils have great plans in place for things like flooding and physical events and they test them regularly. But the recognition that a cyber incident could be on that scale is still growing.”
One of the prime aims of the exercise is to make elected members more aware of the issue and get some of them taking an active interest.
“We need to get this on the agenda of elected members so they know how to ask the right questions,” says Coughlan. “One of the things we did last year was to publish a councillor guide for cyber security, which has very high level points for councillors to think about key questions they might want to ask, such as whether cyber security is part of the council’s civil contingency plan.”
The stocktake questionnaire was designed with input from public sector IT association Socitm, the Society of Local Authority Chief Executives and Warning, Advice and Reporting Point (WARP) teams for different regions, amongst others. Coughlan and Reeves say it is not just about IT, but the arrangements in place for leadership, governance, training and incident management that contribute to good cyber security.
The high level results will be presented to a meeting of the Local Government Cyber Security Board in early September, and will influence how the LGA spends much of the funding it received from the Government.
“We have some funding for this year and want to get as much of that out to councils to address the issues that have been identified,” says Coughlan. “If for example, it’s highlighted that councils have invested in training for IT professionals, but haven’t yet done enough to raise awareness with the whole workforce and elected members, and we now need to put in place this training, then the funding can be used to do that.
“If for a number of councils there is a technical issue, such as software that needs plugging, we can look at bids for that.”
Reeves says peer support from councils that are identified as doing well could be another element. The LGA has formal structures for this approach in other services and is well placed to arrange it for cyber.
It has already made some relevant moves towards a joining up and sharing knowledge by bringing the WARPs together from different regions, which she says has worked well.
Coughlan adds: “We have the formal structure in place where we could recruit peers from councils where good practice has been identified and they can help other councils that need to do some work.
“It’s a standard self-improvement model. We have it in things like children’s services, planning and digital services. The aim is to get those officers in councils with good practice to help the others.”
The LGA will also provide feedback to individual councils on their responses, using a ‘green, amber’ red’ system to highlight their general state of preparedness. The relevant officials could use this internally to help identify any weaknesses, and it could be used to bid for grants that the association will provide from the autumn.
“Some of this stuff is not that complicated. Is there a lead member in place who will ask pertinent questions? Is it in your civil contingency plans? Is it on your risk register? If whoever is responsible for this work can’t say ‘yes’ to most of those questions they have to quickly go away and make sure they can. That is your initial line of defence: get your house in order.
“It might be that after that there could be some attention to areas that need special care, around certain databases, what we would do if we were attacked and systems paralysed. Not everybody has thought about those things so we need to provide them with the steer.”
It all fits with other work the LGA is doing around cyber. In addition to producing the guidance for elected members highlighting questions they can ask their officials, it chairs the Local Government Cyber Security Stakeholder Group, and has worked with WARPs to encourage the sharing of their knowledge.
The stocktake is a significant step, but Coughlan and Reeves indicate they do not see it as definitive, and that there are further efforts in the pipeline.
“We need to be careful that we’re not seeing the stocktake as the answer to everything,” says Coughlan. “It’s going to give us a high level overview and we may need to do some further work to dig into particular things; but for the first time we will have the overview and some evidence.
“The message for councils is to just do it. For the first time it will give them the evidence base to raise those questions with senior managers and lead members, and they will have the opportunity to get resources and help.
“If it turns out a council has significant issues we will get it the help it needs to sort it out as best we can, and it will be from within the sector.”
New challenges in cyber security for the public sector will provide the focus for the UKAuthority Public Sector Cyber Forum, scheduled to take place in London on Thursday 20 September and free to attend for public servants. More information and registration details from here.