84% of local councils in the UK vulnerable to phishing attacks via email

A majority of local councils in the UK do not have adequate safeguards against phishing emails, thereby exposing their citizens to malicious hackers.

Very few local councils have adopted a cyber defence protocol that helps detect phishing emails despite NCSC's recommendations.

Back in 2015, privacy campaign group Big Brother Watch revealed that between 2011 and 2014, local councils suffered 4,236 data breaches, including 401 instances of data loss or theft. At the same time, the group also learned that there were 628 instances of incorrect or inappropriate data being shared in emails, letters, and faxes.

Two years down the line, the situation hasn't improved much. An analysis of 152 council domains by cloud data intelligence firm OnDMARC has revealed that 84% of local councils continue to lack adequate protection from cyber-attacks.

In June, the National Cyber Security Centre rolled out an active cyber defence protocol named DMARC which it said will help local councils authenticate an organisation’s communications as genuine, thereby removing the threat from phishing emails.

The NCSC hoped that the adoption of the DMARC protocol by .gov domains would make email spoofing much harder and would prevent hackers from breaching IT systems owned by government authorities.

OnDMARC observed that as many as 84% of local councils across the UK haven't adopted DMARC as yet, thereby continuing to place their IT systems and internal data at risk. While 15% of local councils in London have adopted the protocol, only 11% in the East Midlands, and 17% in the North East have adopted it so far.

The situation is much worse in the North West where just one council has adopted the DMARC protocol to block phishing and spoof emails.

‘Without DMARC, local authorities’ email domains can easily be spoofed by criminals. What this means for residents of some of England’s largest cities – including Birmingham, Liverpool and Bristol – is that they’re being put at risk of receiving fraudulent emails and thus falling victim to data or financial theft,' said Randal Pinto, COO and co-founder, OnDMARC.

‘Whether you’re dealing with residents of the smallest local authority in the Isles of Scilly or Barnet, the largest borough of London, local authorities have an obligation to ensure their citizens aren’t a target for phishing attacks from spoofed Government email addresses.’

‘While a handful of councils have taken steps to secure their domains, more authorities need to heed the advice of GCHQ’s security arm by deploying DMARC,’ he added.