Cath Birch, Chief Information Officer at Buckinghamshire County Council outlines why they take cyber security very seriously.
No one can deny that digital technology is having a huge impact on the way we live our lives. From video calls to online shopping, almost every aspect is being transformed.
At Buckinghamshire County Council (BCC) we are also embracing new trends like bring your own device to work (BYOD), remote and mobile working policies and cloud computing applications.
However, as cyber-attacks become more sophisticated and widespread one of the main challenges we face today is how best to ensure security in an interconnected world where employees’ ability to communicate anywhere and at any time via multiple devices can put them at greater risk of a cyber-attack.
As a local authority delivering a number of statutory services – our biggest risk due to slipping security standards, would mean personal and/or sensitive data being leaked or falling into the wrong hands.
For us, it’s all about having assurance that what we have in place is fit for purpose.
Every year we complete the Public Service Network (PSN) Compliance Assessment and have N3 accreditation. The PSN is a network which allows organisations, authorities, and agencies that deliver public services, whether national, regional, or local to share information.
To provide PSN services, we must meet agreed standards of security, technical performance, service management and governance.
N3 is a very large network, with 1.3 million NHS users. The accreditation allows us to access and share data securely with colleagues in health and social services including GP practices and hospitals.
In addition, we were offered free ‘cyber assessments’ by central government which helped us to identify and address areas where we were potentially susceptible to risks.
Furthermore we have recently achieved ISO 20000 accreditation. ISO 20000 is the international standard for IT Service Management (ITSM) and is published by the International Organization for Standardization (ISO) and the International Electoral Commission (IEC).
It allows us to not only continually improve our delivery of IT services for the authority but also demonstrate excellence and prove best practice in IT service management. Our next step is to look at cyber essentials – a scheme which covers the basics of cyber security in an organisation’s enterprise or corporate IT system.
For an organisation such as Buckinghamshire County Council with vast information systems that are susceptible to a wide range of security threats, the cyber essentials controls scheme will be a beneficial component.
Implementation of these controls will significantly reduce the risk of prevalent but unskilled cyber-attacks. From a technical perspective we are a member of the South East Government’s Warning, Advice and Reporting Points (SEGWARP) and the Cyber-Security Information Sharing Partnership (CiSP) to share knowledge and best practice.
If we can tackle problems, such as malware threats, before they happen it means we can learn as we go and benefit from a greater level of protection.
Our e-mail system is filtered through MS Exchange Online Protection (EOP) which helps to eliminate threats before they reach staff email inboxes, and has real time anti-spam and anti-malware protection. All emails passed clean are then subject to virus protection at the desktop.
However, in recent months there has been an increase in sophisticated scam and malware attacks attempting to get information and/or plant potentially dangerous viruses into BCC computer systems.
We are now looking to implement Microsoft’s Exchange Online Advanced threat protection (EOATP). This will allow us to protect our email system against new attacks in real time by pre-screening any emails containing links or attachments in a secure environment before they are let through.
To raise awareness amongst staff, who can potentially be our biggest threat to cyber security, we continuously run internal campaigns so they are clear on the ‘do’s and don’ts’. We hope training staff, especially new joiners, will mean greater protection across the system. We have recently updated our IT policy security protocols – a set of guidelines for managing, operating and using the council’s information systems.
We ensure these policies are always available on our intranet system so staff, contractors and third parties can familiarise with them and understand their obligations.
We are now looking to enhance this system further with the introduction of software to record if staff, have ‘accepted’ individual policies to support our compliance and assurance agenda.
As the majority of BCC staff live in the County, the best way we feel to get messages to residents is by encouraging them to share any advice we give about staying safe online with their friends and family.
For example, when ransomware (a type of malware) was doing the rounds we advised people not to click on any suspicious emails or links attached to them, and offered guidance on the different ways scammers try to plant malware or extract sensitive information such as passwords.
Cath Birch
Chief Information Officer
Buckinghamshire County Council
Indeed Digital Technology is everywhere and we don’t live our lives without digital technology. So thus with cyber criminals, they are victimizing many business and even individuals everyday.