Bank Holiday Monday, August 2017. The weather in Whitehaven is resplendent. Locals and tourists alike are making the most of the three-day weekend, lounging in beer gardens, rambling through the Cumbrian countryside, or dozing in that all-too-rare British sunshine.
But a storm is brewing. Just as residents and holidaymakers take advantage of the quaint little town’s parks, pools and pubs, cyber-criminals take advantage of a gaping, hitherto unidentified zero-day vulnerability in Copeland Borough Council’s online systems.
Within three days, the majority of Copeland’s systems are encrypted. The hackers demand a ransom, paid in Bitcoin, before they will allow council employees access to the files. Copeland refuses to pay. It takes nearly 10 weeks for parts of the council to restore basic IT functionality – that means no printing, scanning or access to financial systems for over two months. During this time, council employees aren’t being paid, council vehicles aren’t being fuelled, and housing sales are halted. Many processes aren’t restored until the following February. Not until October 2018 is it revealed that damages reached in excess of £2m.
While dramatic, this isn’t an isolated incident. In fact, Copeland wasn’t even the only council targeted on that sunny Bank Holiday – Islington and Salisbury also suffered cyber-attacks, although they didn’t succeed. Copeland was just one of the early victims in a long string of costly hacks on UK councils – Hackney (£12 million), Redcar (£10 million) and Gloucester (£787,000) all fell to cybercrime in the years following. What’s more, UK councils suffered an almost unbelievable 10,000 attempted cyber-attacks every day in the first half of 2022.
UK councils are obviously a favorite target for cyber-criminals, but why is that? What is it about these relatively small, largely underfunded, and often obscure government bodies that cyber-criminals find irresistible?
Some answers lie within the private sector. In recent years, cyber-criminals have targeted SMEs for the same reasons they target councils. Consider councils as the public sector’s SMEs – the central government is equivalent to large corporations, and local councils are their smaller counterparts.
Councils and SMEs are a favourite target for cyber-criminals because, to be blunt, they’re low-hanging fruit. Granted, the rewards are unlikely to be as fabulous as with their larger counterparts, but they’re typically far easier to hack. Smaller budgets generally mean lower ransoms, but it also means less spending on cybersecurity, if any at all. Contemporary nation-states and large corporations throw millions or even billions of pounds towards bolstering their security posture, but councils and SMEs don’t have that kind of money.
It’s worth noting that councils are likely to be the target of state-backed cybercrime. Again, the SME comparison rings true – cyber-criminals often target supply chains to reach the large corporation that outsources to them. In this case, local councils are analogous to the central government’s supply chain. In light of this, councils and councillors have responsibility for national security. A mistake or misjudgement could lead to a major hack on the central government.
An ITV investigation from earlier this year found huge disparities in local councils’ cybersecurity spending. One council, for example, spends £1m a year on cybersecurity while another spends only £32,000. As is with the case of SMEs, apathy, inaction and ignorance towards cybersecurity isn’t endemic to UK councils, but it is a problem that needs to be addressed.
However, the UK government has expressed a will to bring local council cybersecurity up to speed. February’s National Cyber Strategy 2022 is perhaps the most explicit of these efforts, with the cabinet office declaring: “Our focus is also on making the public sector more resilient, helping councils protect their systems and citizens’ personal data from ransomware and other cyber-attacks.” What’s more, the UK Government provides a wealth of resources for anyone, council employees included, looking to improve their cyber hygiene.
- A councillor’s guide to cybersecurity – Provided by the Local Government Organisation, this is the most comprehensive and focused cybersecurity resource for councils.
- 10 Steps to Cybersecurity – Provided by the NCSC, this resource offers actionable advice on protecting individuals and organizations from cyber threats.
- Cyber Essentials – An NCSC-backed accreditation that ensures an organization implements the necessary cybersecurity protocols, reducing cyber risk by up to 98.5%. The best Cyber Essentials providers work with organizations, offering advice and support to ensure they pass first time.
All in all, it’s important to remember that cybersecurity doesn’t need to be difficult. At first glance, getting acquainted with the necessary principles can be overwhelming, but it doesn’t need to be this way. You don’t need to be a cybersecurity expert to be cyber-secure – make use of the resources available to you, follow guidelines to the letter, and enjoy the peace of mind that comes with knowing you’ve done everything you can to protect yourself, your community, and your country.