Local councils across the UK suffered as many as 98 million cyber attacks in the last five years, resulting in 376 cyber incidents in total, a report from privacy group Big Brother Watch has revealed.
Local councils are collecting more information about citizens than ever before, yet they fail to provide cyber security training to employees and do not report all breaches to authorities.
The eye-opening report reveals that local councils in the UK suffered an average of 37 cyber attacks every minute between 2013 and 2017, thereby signifying the extraordinary threat posed to them by cybercriminals looking to steal large troves of customer data from their servers.
The report added that in the last five years, 25 local councils have suffered data breaches, but less than half of such incidents were reported to authorities. Even though a majority of such incidents occurred because of human error, 75 percent of councils haven't imparted mandatory cyber security training to employees.
In all, 114 local councils, or nearly one in every three in the UK, suffered at least one cyber incident in the last five years, totaling 376 such incidents since 2013. 56 percent of affected councils did not report breaches suffered as a result of cyber attacks, thereby avoiding embarrassment and possible imposition of fines by the ICO.
As far as providing cyber security training to employees is concerned, the report from Big Brother Watch observed that while 297, or 75 percent of all local councils, did not provide mandatory training, 62 councils did not provide any cyber security training at all.
“With councils hit by over 19 million cyber attacks every year, one would assume that they would be doing their utmost to protect citizens’ sensitive information. We are shocked to discover that the majority of councils’ data breaches go unreported and that staff often lack basic training in cyber security. Local authorities need to take urgent action and make sure they fulfil their responsibilities to protect citizens,” said Jennifer Krueckeberg, Lead Researcher at Big Brother Watch.
Commenting on the report from Big Brother Watch, Stephen Burke, Founder & CEO, Cyber Risk Aware, told TEISS that that lack of training imparted to employees by local councils is quite concerning, considering that GDPR only a few months away.
"Employees are on the front line when it comes to safeguarding data and it only takes one person to click on a malicious link to place the security of the entire organisation at risk. The role of staff awareness and education is particularly significant with the EU GDPR set to come into force. It’s more important than ever for all organisations to take measures to educate staff on the basics of good cyber security, from how to spot potential phishing emails to how to report anything that doesn’t look genuine.
"Through regular simulated attacks on staff, it maintains a very high level of awareness because at an emotional level, people don’t like feeling they have been caught out and therefore try hard not to feel that way again. It has the great effect of rapidly reducing the risk of a user falling victim to a phishing email,” he said.
This isn't the first time that poor cyber preparedness of local councils in the UK has been exposed by concerned researchers and privacy groups. Back in September, information obtained by Digital Health Intelligence via a Freedom of Information requests revealed that among 281 local authorities in the UK, almost 60 percent did not have a cyber security strategy in place to ward off cyber threats.
Similarly, information obtained by intelligent information management company M-Files via a freedom of information request in July also revealed that a majority of boroughs in London and in the rest of the UK did not allocate budgets for implementing protocols mandated by the GDPR nor did they appoint Data Protection Officers as mandated by the regulation.
Commenting on the total number of cyber attacks faced by local councils in the last five years, Joseph Carson, Chief Security Scientist at Thycotic says that the numbers are not surprising at all.
"With shrinking budgets and most councils struggling just to keep the lights on, cybersecurity is surely the last thing on their mind, especially when they have to decide whether to hire vital staff or choose on upgrading software to keep them patched with the latest security updates.
"Just like many organisations the focus is on the business and if cybersecurity is not adding value then it is a cost and for most, they are willing to sacrifice being the victim of a cyber-attack versus letting staff go. So, the news that many councils have been breached in the past five years is not surprising and that cybercriminals are targeting employees stealing passwords, compromising accounts to bypass security controls is a challenge most organisations are facing globally and not unique to the UK," he adds.