30th October 2015
The Cyber Threat
The headlines about TalkTalk’s recent online security breach are a reminder to us that cyber-attacks and online data theft are a daily reality for UK businesses. Of course, it is not just businesses that are susceptible to cyber-attacks.
Local authorities also hold significant data on individuals as part of our work providing services to our communities, which means that the cyber threat now affects us as much as any other organisation.
Government has rightly invested significant resources in ensuring we all understand how to respond to such incidents. Yet, despite this investment, the threat we all face continues to escalate and continues to feature as a high-level risk on our Local Resilience Risk Registers. As with all other Resilience Risks it is vital that we adequately describe the threat we’re facing and the different ways in which the threat might manifest itself in our local communities in order to ensure we develop the requisite risk mitigation strategies.
The term ‘cyber’ can often be daunting to colleagues, used as a short-hand to describe the use of technology to access information. This is further compounded by the fact that most immediate responses to cybersecurity are also technology-based – economic crime experts at the UK’s National Lead Force for Fraud, the City of London Police, state that 80% of known cyber attacks and frauds can be prevented by basic IT hygiene. Meanwhile, internal threats to information security run from the inadvertent (simple user error, loss of mobile devices) to the malicious (internal
fraud, data theft).
Talk of the ‘Internet of Things’ often paints a bleak future of endless vulnerability. But today’s technology also presents its own risks with the rapid integration of bring your own device (BYOD), cloud computing and the growth of new systems bolted onto inadequate or insufficiently compatible existing frameworks. As a result, the likelihood of information security being compromised is higher than ever – even if only unwittingly.
To make matters worse, hackers are well-funded, persistent and sophisticated, fueling the exponential growth in cyber-attacks over the past few years. Most local authorities now experience, though thankfully also successfully defeat, multiple attacks per month. The danger, experts say, is that increasingly such attacks are going undetected.
Colleagues will need little convincing that a key part of tackling this threat is getting our own houses in order, ensuring that data and command structures remain secure.
Government has rightly invested in protecting our Critical National Infrastructure. But we should also be able to predict the need for a local multi-agency response to a high profile attack and data breach on a public institution be it a hospital, an emergency service or even a local authority itself. Equally, we need to ensure that we can fend off attacks on public sector websites and social media messaging streams (as has already been experienced by agencies in the US).
Risk Mitigation strategies will start with the most basic IT responses as described in the Governments Cyber (Security) Essentials Programme but will necessarily also need to include reviews and changes to people and information processes. Local Resilience Forums have the opportunity to act as a communications channel for a host of best practice guides that already are available through many Government Departments Response strategies should also be mapped to consider communications, accessibility to experts, and issues of business continuity. Of course, relevant training through tabletop and similar exercises will be crucial stress testing contingency plans.
The cyber threat now forms a significant part of our working lives – daunting and increasing. But the approach we need to take as Resilience Forums is actually quite familiar – the challenge for colleagues is to ensure that we start to put some tangible strategies in place at the earliest opportunity to tackle the cyber threat before it escalates further.
By John Barradell, Town Clerk & Chief Executive, City of London Corporation, and Solace Spokesperson on Civil Resilience and Community Safety