Hackney Council tenders for cyber security upgrade

London’s Hackney Council is tendering for new security assurance capabilities and will evaluate a number of suppliers to take on the task, following a ransomware attack on its systems last year that, months later, has left many of its key services disrupted.

In a request for proposal (RFP) posted to the government’s Digital Marketplace, the council said it intended to establish and manage its risks across all its ICT environments to minimise the risk of a future cyber attack on its systems.

“Hackney Council is reviewing the way we deliver security assurance, following a cyber attack in October 2020 and implementing changes to where required,” the council wrote.

“This work will include a review of some of our technological tools as well our governance arrangements and processes. This work will be underpinned by a concurrent piece of work focused upon the security culture within the team.”

The project will deliver two key strands of work: a review and strengthening of policies, processes and procedures; and an analysis and implementation of new security, behaviour and skills capabilities.

The council said it had already identified a number of skills gaps and capacity shortages of its own accord that could hinder the rapid delivery of the project: user research to establish current behaviours and cultures impacting cyber security; analysis of business, procedure and policy to distil that information and turn it into actionable practice; and senior security practice to assist in the design of new processes, and delivery of training and best practice to council staff.

The budget for the project is between £200,000 and £250,000, excluding VAT, and the programme is set to run for approximately six months, with the selected team working alongside the council’s staffers “in an agile project style”, probably remotely due to the pandemic. The closing date for applications is set for 2 February 2021.

The attack on Hackney’s systems, which first unfolded in October 2020, was described by Hackney mayor Philip Glanville as “morally repugnant” and “utterly deplorable”.

It has affected thousands of Londoners, and caused ripple effects that go far beyond the availability of IT systems – for example, property purchases in the borough have ground to a halt.

Although the council was at first reluctant to disclose the precise nature of the attack, it was forced to confirm it was ransomware after the Pysa/Mespinoza gang leaked some of the stolen data online earlier in January in an attempt to conduct a double extortion attack.

The fact the data was leaked at all is a strong indicator that the council has not paid the gang – which are described by Emsisoft’s Brett Callow as “horribly amateurish” – any ransom money and is wisely refusing to do so.