An investigation by security researchers (1) reveals that at least one in four UK councils have been hit by cybersecurity breaches resulting in the loss of data over the past five years. Sungard Availability Services looks at this growing problem and how to mitigate the risks
Between 2013 and 2017, there were more than 98 million cyberattacks on councils, which store data relating to millions of residents. Last year alone, councils were hit by over 19 million cyberattacks, many of which involved viruses and other malicious software or ‘phishing’ activity. Local authorities are among the bodies most commonly featuring in fake emails designed to trick citizens into believing they come from a trusted source so that they hand over passwords, credit card details and other personal data.
Cyberattacks are a growing problem for both the public and private sector. With business transacted over the internet worth an estimated $966.2 billion – equivalent to 6% of GDP in 2014 (2) – no organisation today can afford not to be connected. This is especially true for businesses in the UK, whose economy is the most internet-dependent, accounting for 10% of GDP. (3)
However, as with the public sector, being connected brings risks and almost half of all UK businesses identified at least one cybersecurity breach or attack last year. (4) Household names that have hit the headlines for all the wrong reasons in 2018 include Adidas, Dixons Carphone and Ticketmaster.
According to the Sungard Availability Services-sponsored BCI Cyber Resilience Report 2018, this is a challenge that is likely to grow even bigger in years to come due to a higher adoption of Internet of Things (IoT) technologies, government-sponsored cyberattacks and cryptocurrencies.
Dr Sandra Bell, Head of Resilience Consultancy EMEA for Sungard AS, notes: “Since the publication of the first BCI Cyber Resilience Report three years ago, we have seen cyber threats and the havoc they can cause, transition from being an interesting subject within the specialist technical press, to headlining the business pages of the broadsheets. Organisations are now not just suffering localised operational disruptions due to the corruption or lack of business data, but they are experiencing highly public, severe financial and reputational impacts at a scale and scope that threaten their very existence.”
Some 574 respondents in 77 countries were surveyed for the authoritative BCI report, which found that two-thirds of respondents had suffered at least one cyber disruption over the past 12 months.
The top five causes of an incident were:
- Phishing, spear phishing and social engineering (72%);
- Malware (54%);
- Ransomware (31%);
- DoS/DDoS (28%) and;
- Out of date software (26%).
The main effects of a cybersecurity incident were:
- IT and telecom outages (36%);
- Reputational damage (18%);
- Profits hit (11%);
- Supply chain disruption (9%) and;
- Physical security concerns (8%).
However, a cyberattack differs from many of the disruptive threats and hazards that organisations face in one significant way. Unlike a flood, fire or power failure, a cyberattack is a ‘risk with an adversary’. This means they need to be agile, flexible and strategic in their response and executives ready and able to lead their organisations through the complex and uncertain situations that a cyberattack can cause.
The executive team needs to be intimately involved in the preparation and planning to ensure that the whole organisation is able and ready to adapt their response as and when necessary.
Encouragingly in this respect, the report reveals more than half of organisations enjoy commitment from those at the top, as well as a greater involvement outside the IT department. These findings reflect Sungard AS’ own experience in that its experts are increasingly being brought into the boardroom to coach the cabinet in crisis leadership and prepare the whole authority to respond to cyberattacks.
Fighting back
The good news is there are measures organisations can take to counter the cybersecurity threat. Dr Bell elaborates: “To counter such a threat an organisation needs to bring many forces to bear. Technical information security, such as firewalls, anti-virus and DDoS protection, together with good IT system housekeeping, regular patching and user awareness training, provides an excellent foundation that will almost certainly reduce a council’s vulnerability. Likewise, a strong disaster recovery and business continuity stance will ensure, that should defences be breached, the organisation is ready and able to continue critical business processes.”
With the UK government working to make public services digital by default as part of its transformation strategy and the unveiling of the newly-announced Digital Pledge (5), this has never been more important. Sungard AS has developed a five-step plan to help public and private sector organisations build their cyber resilience:
- Identify your risks – not just your vulnerabilities – Likewise, consider your people, processes and culture – not just your IT systems. Once you’ve assessed your risks and know what you’re up against, develop a cyber resilience roadmap, so you know what you need to do to succeed and how to get there.
Things to think about: Cyber risk assessment and cyber resilience roadmap.
- Create a robust yet agile IT infrastructure – This will reduce the chance of an attack but, more importantly, ensure you’re in the best possible shape to respond when it does.
Things to think about: ICT transformation & service continuity, information security consulting, business continuity consulting and disaster recovery.
- Develop contingency plans and capability to meet operational targets despite inaccessible or corrupted data. This should include ensuring cabinet members have the crisis leadership skills and competencies that are so often needed following a cyber incident.
Things to think about: Masterclasses, executive coaching and cyber scenario exercises.
- Build a cyber resilience culture – Cyber resilience is a complex problem and can only be solved by a variety of approaches. Likewise, threat awareness measures are consistently shown to be more effective than technological security controls. (6) Therefore, a culture that takes account of the sociotechnical aspects of security is needed.
Things to think about: Culture change, coaching, training & awareness.
- Practise so you can think on your feet – Exercise regularly so you’re prepared to adapt your response in real-time because your attackers will adapt their strategy in response to your defensive moves.
Things to think about: Crisis scenario exercises
To discuss how Sungard AS’ resilience consultants can help your organisation build its cyber resilience:
call: +44 (0)800 143 413 or
email: government@sungardas.com
References
1 Big Brother Watch https://www.standard.co.uk/news/techandgadgets/councils-targeted-by-nearly-100-million-cyber-attacks-in-five-years-a3770656.html
2 https://internetassociation.org/121015econreport/
3 https://www.bcg.com/d/press/1may2015-internet-contributes-10-percent-gdp-uk-economy-12111
4 https://www.gov.uk/government/news/almost-half-of-uk-firms-hit-by-cyber-breach-or-attack-in-the-past-year
5 https://government.diginomica.com/2018/07/06/local-authorities-sign-up-to-new-digital-pledge-central-government-will-support-with-new-delivery-team/
6 Janne Merete Hagen, E. A. (2008). Implementation and effectiveness of organizational information security measures. Information Management & Computer Security, 16(4), 377-397.
Please note: this is a commercial profile
Sally Murdoch
Sungard Availability Services (UK) Ltd
Tel: +44 (0)208 080 8945