Councils’ cyber security is disjointed and under-resourced

A new report has highlighted a disparate and fragmented approach to cyber security among local authorities in the UK.

The Redscan report is based on analysis of Freedom of Information data supplied by more than 60 per cent of borough, district, unitary and county councils.

In the last 12 months there have been numerous reports of data breaches at UK local authorities, including high-profile incidents suffered by Hackney as well as Redcar & Cleveland Borough Councils.

The National Cyber Security Centre recently warned that the cyber security challenges faced by councils are likely to grow due to urban centres becoming increasingly connected.

Redscan’s report provides a snapshot of the state of cyber security across local authorities, suggesting that more must be done to minimise the risk of future incidents and disruption to services. It found that UK councils reported an estimated 700+ data breaches to the Information Commissioner’s Office in 2020.

Furthermore, ten councils had their operations disrupted as a result of breaches or ransomware, with one council reporting 29 data breaches to the ICO in 2020.

However, approximately four in ten councils spent no money on security training and just half of all UK council employees received cyber security training in 2020.

Mark Nicholls, Redscan CTO, said: “There is significant room for councils to improve their readiness to tackle current cyber risks as well as those that will emerge in the future as cities become smarter and more interconnected. Every council has thousands of citizens depending on its services daily. If they go offline due to a cyberattack, this can deny people access to critical services. To minimise the impact of data breaches, it is important that councils are constantly prepared to prevent, detect and respond to attacks. While our findings show that councils are taking some steps to achieve this, approaches vary widely and in many cases are not enough.

“Our analysis reveals some pretty shocking failings, such as 29 data breaches reported by one council to the ICO in a single year. The fact that approximately half of all council employees across the UK didn’t receive security training in 2020 is also concerning.”