Councils face a number of shortcomings when it comes to their cyber security perceptions, according to research published by the Ministry of Housing, Communities and Local Government (MHCLG).
The report, which interviewed 163 local authorities across England on ransomware and is part of a pre-discovery exercise, was motivated by a need to understand how central government can reduce risk and optimise spending in support of, and collaboration with, local authorities.
An inconsistent view of what cyber security means to a council is one of the research findings, with respondents having difficulty to provide uniform definitions of what constitutes a breach, for example. That is despite 37 attempted breaches of UK local authorities occurring every minute, according to the Big Brother Watch report also cited in the study.
“What good cyber health and maintaining good cyber health looks like is unclear,” the report said. “Cyber security means different things to different people.”
According to the report, stakeholders felt that information management is separate to cyber security, even though the National Cyber Security Strategy includes information management. There is also a view that cyber security and risk relates solely to penetration testing, defending against hackers and defending against virus threats, it said.
“We believe that this is an incomplete perspective [because] cyber risk extends to the systems, the data kept in the systems, the hardware used to access the systems and the services provided,” the MHCLG report noted.
In addition, the survey found that cyber security is often viewed as a technical issue, rather than a business topic, and is not seen as being everyone’s responsibility.
While the MHCLG report said there is evidence of good and bad practice when it comes to cyber security in councils, it added that there was no single fix to local authorities’ cyber security risk, as issues vary in size, severity and context.
The study also noted that a “potentially overwhelming amount of guidance” often leads to a lack of clarity and confusion over cyber security.
Three hypotheses emerged as having a greater potential to help support local authorities with cyber security. The first area where there was strong consensus from the senior stakeholders working in cyber security that took part is that vulnerability to cyber attacks would be reduced if local authorities build, plan and maintain services in a secure manner.
Another idea most participants of the study supported is that cyber security risk would decrease at local authorities if they subscribed to clear standards, expectations and goals.
In addition, leaders agreed that cyber security risk would be reduced if behaviours, ownership and responsibility for cyber health at local authorities were improved.
As part of the discovery exercise, the MHCLG will now look to define the problem space around the three themes that emerged as priorities, and quantify the value of increasing cyber security across local authorities. It will also seek to understand the capabilities, disablers and enablers related to the three prioritised areas.