Local authorities across the UK are experiencing an average of 10,000 attempted or successful cyber attacks every single day and have seen a 14% year-on-year increase in incidents to over two million so far this year, according to new figures published by Gallagher, a provider of insurance broking and risk management services.
Gallagher lodged Freedom of Information (FoI) requests with every local authority in the country and received information back from 161 of the 333 county councils, district councils and unitary authorities in scope – suggesting the true number of incidents is much, much higher.
The data shows that phishing attacks are by some margin the biggest threat facing local authorities, with 75% of respondents saying these were the most common form of attack – phishing, of course, is generally a precursor to a more impactful incident, such as a ransomware attack. Distributed denial of service (DDoS) attacks, which have the potential to wreak havoc on local public services by disrupting websites and so on, were the second most common attempt type, and ranked as the top threat for 6% of respondents.
“Criminals unfortunately know only too well that cyber attacks can cripple systems, and with many councils increasingly servicing local people’s needs digitally, they simply cannot afford to experience downtime,” said Johnty Mongan, head of cyber risk management at Gallagher.
The firm also revealed that although most incidents are intercepted and thwarted, local authorities have collectively paid out more than £10m in the past five years, including money lost to hackers, legal costs, and regulatory fines.
Also, about 52% of respondents had hired external experts to help advise on mitigating cyber risk in the past 12 months, and 85% had increased their own security spending, although only 23% had invested in cyber insurance policies.
“It is positive to see that councils are recognising this threat, and looking to employ external experts to help prevent cyber attacks,” said Mongan. “Risk management and putting in the right security is absolutely key and external experts are best placed to advise what the most up-to-date measures are.”
Tim Devine, managing director for government, housing, education and public sector at Gallagher, added: “It is important to have a plan in place, should the worst happen. With so many attacks happening every day, it only takes one error to cause significant problems.
“The risk in terms of associated costs and reputational damage as a result of cyber threats means that having specialist cyber insurance in place should be a key consideration, but is by no means the only consideration for those wishing to mitigate the risks of an attack.”
However, many buyers are finding it increasingly difficult to obtain cyber insurance coverage because of a combination of increasingly costly premiums and stricter clauses on the risk and compliance regimes that organisations need to have to prove eligibility for a policy.
Insurance market Lloyd’s of London announced in August that it was clarifying the scope of coverage for its insurance groups’ cyber insurance policies, encouraging managing agents to recognise and apply due diligence to the specific complexities around state-sponsored cyber attacks.
According to one recent report, the number of organisations – not just public sector bodies – pushed out of the cyber insurance market for one reason or another looks set to double between now and the end of 2023.
Read more about public sector security
- While some NHS bodies are now recovering their services after the ransomware attack on a crucial software supplier, others are still being forced to rely on pen and paper, and some will be waiting months to recover.
- Public sector bodies in the UK recognise secure identity and access management as critical to the roll-out of digital services, but face challenges in addressing this.
- As it seeks a new supplier to reinvigorate the migration away from the Public Services Network, the Cabinet Office says relying on the legacy network may be putting public sector bodies at heightened risk in cyber attacks.