Local authorities are at increased risk due to the lack of a complete cyber security perspective, according to the Ministry of Housing, Communities and Local Government (MHCLG).

A new report from its Local Digital Collaboration Unit (LDCU) explained the findings of a pre-discovery project that it launched in March, following stakeholder interviews and analysis of 163 councils’ responses to a survey on ransomware.

It highlighted that there is no consistent understanding of what cyber security means for a council, making consistent prevention more difficult. There was similar inconsistency as to what constitutes a breach, with a widespread perception that cyber security relates solely to penetration testing and defending against hackers.

“We believe this is an incomplete perspective, as cyber risk extends to the systems, the data kept in systems, the hardware used to access systems, and the services provided,” read the report.

Local authorities also have differing opinions of what good security looks like, with non-IT staff often unaware of their responsibilities. Cyber security is often seen as an IT, not a business risk, so does not always get the attention or funding it needs, noted the document.

There is a growing knowledge of incidents affecting other councils and an appreciation of the usefulness of information sharing networks, but the main channel for sharing knowledge - regional warning access and reporting points (WARPs) - often need to be strengthened.

Analysis of cyber risks is also inconsistent when procuring IT and non-IT services, along with joint procurement of cyber security contracts among local authorities.

The report did note good take-up of National Cyber Security Centre services, although users are often confused by the services and groups available to offer support.

The LDCU did not to provide any firm recommendations, but put forward several hypotheses that could lead to improvements, including better building and maintenance of services; configuring their technology appropriately; providing clearer standards, expectations and goals for councils; and improving the quality of and networks for sharing information.

“This pre-discovery was vital in order to rapidly understand the landscape and gather evidence from councils and stakeholders," it stated. “As we move into the next phase we will validate our findings and focus on the elements that will have the greatest impact on cyber health and resilience.”

It prioritised three themes for further work - one focused on encouraging ‘security by design’ in local government; the second around standards and technical guidance to identify any gaps and those that councils are struggling to follow; and the third will deal with ownership, responsibility and accountability.

Share Story: