Local authorities hit by 800 cyber attacks every hour

Local authorities and councils up and down the UK are being hit by an average of 800 cyber attacks every hour, with more than 263 million incidents noted in the first six months of 2019 alone, according to figures gathered by insurance broker Gallagher using the Freedom of Information (FoI) Act.

Gallagher made FoI requests to every authority in the UK and found that of the 203 that responded, 76, or 37%, had reported a cyber attack between January and June 2019, which would suggest that given 204 other authorities of the 408 in the UK did not respond, the true number of attacks against UK public sector organisations is much higher, potentially double.

Since the start of 2017, Gallagher found 17 attacks were reported to have resulted in a loss of data or money, with the average cost to the victim of a successful attack being around £430,000. The firm also found that only 13% of councils hold a standalone cyber insurance policy, even under threat of heavy fines for breaches since the introduction of the General Data Protection Regulation (GDPR).

Tim Devine, managing director of public sector and education at Gallagher, said: “Our research illustrates the scale of the challenge facing local authorities in the UK. Councils are facing an unprecedented number of cyber attacks on a daily basis.

“While the majority of these are fended off, it only takes one to get through to cause a significant financial deficit, a cost which the taxpayer will ultimately foot. Costs and reputational damage at this scale can be devastating for public authorities, many of which are already facing stretched budgets.”

Devine added: “In many scenarios, the people responsible for purchasing cyber insurance products need decisions to be made at member, or management level. The cyber threat and the need for cover needs to be high on every local authority’s agenda.”

The nature of public sector organisations in general – not just local authorities – tends to make them tempting targets for cyber criminals thanks to factors such as lack of education among users, lack of attention paid by cash-poor IT teams, and a treasure trove of data held on the general public by councils, schools and universities, the NHS and other social care bodies, and, by extension, the private sector contractors that oversee much public service work.

A recent National Cyber Security Centre report, for example, revealed that the UK’s universities lost almost £150m from cyber attacks in the first six months of 2018, and warned that highly mobile and frequently changing student populations made it much harder to take adequate security precautions.

In July 2019, meanwhile, an FoI request made by device security services supplier MobileIron of the UK government found that government staffers had lost 508 mobile and laptop devices between January and April 2019.

Responses from eight out of nine Whitehall departments contacted revealed that only 10% of these devices are ever recovered, and with the average organisation using a great and growing number of cloud-based applications, MobileIron warned that the volume of data that could be compromised from just one device was potentially huge.