Visit our devolution and LGR hub for the latest information, support and resources
Cyber Unpacked is the first module of Unpacking Digitalisation, a series of short explainer videos on digital concepts, created to support officers and councillors who are digital newcomers.

Each video takes a term or concept that you might hear during conversations about cyber security and digital, and unpacks it using animated examples. These videos are a tool for members and officers to improve understanding of cyber risk in under 3 minutes, which can aid decision making in the long-term.

Cyber unpacked - Series 1
What is cyber security?
The first video in the series will define cyber security, explain why cyber security is important, and introduce and explain some key terms you may hear when learning about cyber security.
What is cyber security?
This video will: Define cyber security, outline key terms such as ‘Assets’ and ‘Information Security’ and give examples of why cyber security is important.
Cyber security is how individuals and organisations reduce the risk and impact of cyber attacks. It involves protecting councils’ devices, networks, services, and the data held on each, from unauthorised access, disruption, damage, or theft.
Information, data, devices, networks, and services are referred to as assets in the context of cyber security. They are the components of your council’s digital system that are valuable and could therefore be exploited by malicious actors.
You might see the term information security used interchangeably with cyber security. Information security looks at securing information in any form, including digital and printed formats, while cyber security is focused on protecting digital data, the systems upon which the data sits, and networks via which the data can be accessed.
To understand the difference, let’s look at patient records in the NHS as an example. Cyber security ensures the protection of electronic records. Information security includes not only securing these electronic records, but also covers the protection of any information held in physical form, such as patient information that is printed or written down.
Cyber security is important because the delivery of many council services relies on digital assets. Threats to these assets can mean critical services go offline or sensitive data is disclosed publicly, which could damage a council's reputation, hurt its finances, affect its ability to safeguard, and deliver services to residents.
Cyber security is a vast field, and you will encounter terms like cyber resilience, cyber threat, and cyber risk.
These terms can be utilised by anyone in local government. We encourage you to keep an eye out for them in future videos, and to speak with others in your council about them.
There are many resources that can help you learn more about how cyber security applies to your council. For instance, the National Cyber Security Centre or NCSC website is the best first port of call for clarifying cyber security questions you have.
There is also government support on cyber security available from the Centre for National Protective Security Authority (NPSA) and the National Cyber Crime Unit (NCCU).
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. Check out other videos to keep on learning!
Find out more about cyber security using the links below:
What is a network?
The second video in Cyber Unpacked explains what a network is, outlines basic network components and explains the difference between public and private networks.
What is a network?
This video will: Define ‘networks’, outline basic network components, and differentiate between public and private networks
As a councillor or officer, you may come across networks in some operational tasks, like connecting to your internal council systems. You will also encounter networks in public-facing council functions, such as providing wifi in a public library.
But what exactly is a network?
A computer network is formed when two or more computers are connected in some way to share information or resources. More broadly, a network is the interconnection of computing devices, from computers, to phones, to printers, to smart devices, and so on.
Networks are typically made up of servers and clients. In this model, user devices, or clients, communicate via a network with centrally located servers to get the resources they need.
A server is a large-capacity computer that contains the hard drives, printers, and resources that are shared with other computers on a network. Servers are designed to be able to handle more intensive workloads than a personal computer can. A personal computer could run server processes, but would not be able to handle the workload and crash.
Clients are the other computers and devices on a network that request for and receive these resources from servers. Examples are end-user devices like phones and personal computers.
There are two main types of networks: public networks and private networks.
A private network excludes unauthorised users from joining the network. One example is an intranet: a network where the connection is between devices within a particular setting.
The internet is also a type of network. It is a global network of other networks, allowing for worldwide sharing of information. Since it is accessible to the public, the internet is an example of a public network.
If you’d like to learn more about networks, speak to your colleagues in the IT department and ask them some further questions:
How do you know that your networks are operating optimally?
How are your council’s networks secured?
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. Check out other videos from the series to keep on learning!
Find out more about data and how to protect it:
What is data?
The third video in the series will define data, describe the differences between data and information, define data-related terms, and link this back to cyber security in your council.
What is data?
This video will: Define ‘data’, differentiate between data and information, and define data-related terms
Data is a very broad term, and its definition depends on the context. Data can refer to collections of text, numbers, symbols, individual facts, sounds, and images, alone or in any combination.
There is also a distinction between data and information; information is data with context applied that allows us to derive meaning from it.
To better understand this distinction, think about a council tax register. This is a database made up of different pieces of data, including the names of residents and the amount of council tax they need to pay.
When you combine the data, you get information about the council tax that different residents owe.
You may also hear the term big data. This refers to large, constantly growing collections of many different types of data.
In your work, you may come across terms like open data and data privacy. What do these mean given our understanding of data?
Open data means that data is shared freely to both council colleagues and members of the public for use and reuse. Data privacy refers to arrangements to keep data from falling into unauthorised hands. This is to avoid the data being used to glean information that could be misused.
Let’s end this video with two questions about data and your council: Who is your council’s data shared with and how? Is your council’s data secure?
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. Check out other videos to keep on learning.
Find out more about data and how to protect it:
Data backups and the NCSC 3-2-1 rule
The fourth video in Cyber Unpacked defines what we mean by data backups, explains what the NCSC 3-2-1 rule is and how to apply it at your council.
What are data backups and how do they relate to the National Cyber Security Centre’s 3-2-1 rule?
This video will: Define data backups, explain what the NCSC 3-2-1 rule is and how to apply it.
Backing up data refers to copying council data, such as files and programmes, from where it is mainly stored to one or more secondary locations. This copy of your data is called a data backup.
A key reason your council would back up its data is to be able to recover that data in the case of an accident, cyber security incident, or disaster that affects the primary data storage location.
Backups are especially important for responding to and recovering from a ransomware attack.
In a ransomware attack, malicious software aims to render council data unintelligible. The perpetrator of the attack may want some kind of payment, or ransom, to restore the data, but there is no guarantee they will restore it even after getting paid.
This is a really tough situation, but if a council has up-to-date backups of its data somewhere safe, then it can use those to restore its operations.
But where is “somewhere safe”? If the data backups are on the same network that is exploited by this ransomware attack, then they could get corrupted as well. This could result in all data being lost, rendering systems unusable and putting key citizen services offline.
This is why it is good to have multiple backups that are separated from each other. The National Cyber Security Centre, or NCSC, has developed the 3-2-1 rule as a rule of thumb for storing multiple backups. It means having at least 3 copies, on 2 devices, and with 1 copy offsite.
The NCSC also suggests that one of these copies is “offline” - not connected to any networks or systems.
Here are two considerations to round off this video:
How well does your council follow some of the good practices we have discussed?
It is essential to systematically test out the process of restoring your backups. The results of these tests can inform your council’s subsequent back up processes.
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To learn more about the terms we covered, please watch our other videos!
Learn more about good password security using the links below:
What does good password security entail?
The fifth video of the series is all about password security. We define what a password is and lay out good password security practice for you to follow.
What does good password security entail?
This video will: Define passwords, lay out good password security practice.
Let’s start with defining what a password is. A password is a sequence or string of characters. It is used to verify the identity of a user, usually to gain access to a resource.
Passwords are important from a cyber security perspective because they can prevent unauthorised access to assets. Cyber attackers will often try to guess passwords to gain access to council systems, networks and data.
Some of the most common ways they do this are: using trial-and-error to work through all possible passwords, called brute force attacking; and using lists of common passwords to try to access a large number of accounts, otherwise known as password spraying.
It is generally more difficult for attackers to guess complex passwords, so many organisations require their staff to create multiple complex passwords. But this does not guarantee security, and puts a burden on staff.
A good way to help councillors and officers to manage the complexity requirement is by encouraging them to use three random words, like 'coffeetrainfish' or ‘walltinshirt’.
Councils should also consider using multi-factor authentication for important accounts. Multi-factor authentication means that the council’s system or network will require more than one piece of evidence to verify a user’s identity.
It also makes sense to regularly audit user passwords against common password lists, using free or commercial tools.
Let’s round off the video with a question: How much of the good practice we’ve discussed does your council currently implement?
This video does not present an exhaustive list of good practice, and good practice is constantly changing.
To get the most up to date and comprehensive information please consult the National Cyber Security Centre’s guidance on password security.
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To learn more about multifactor authentication, please watch our video on it.
Learn more about good password security using the links below:
- NCSC - Password managers
- Password manager buyers guide
- NCSC - Updating your approach (Please note, this video does not contain an exhaustive approach or advice, and it's important to regularly review your own processes in line with NCSC guidance.)
What is a cyber vulnerability?
This video explains all about cyber vulnerabilities, including what a zero-day vulnerability is, and the measures you can take to reduce the negative consequences of any which are exploited.
What is a cyber vulnerability?
This video will: Define what a cyber security vulnerability is, explain zero-day vulnerabilities.
A cyber vulnerability is a weakness in an information system, configuration, or in security procedures, which allows a malicious actor to inflict harm to an organisation.
A vulnerability in an information system could be a software flaw, such as a web application that does not filter its users’ commands. This can allow a malicious actor to put harmful code into an otherwise benign program.
Another vulnerability could be using default passwords in systems. These default passwords might be in the public domain, putting the systems at risk. This is considered an error in the implementation of software and its components.
Weaknesses in security procedures are another kind of vulnerability. One example of this is a failure to patch, or keep software updated to the latest, most secure versions. Such software will be at high risk of compromise because malicious actors monitor security updates to find outdated versions that have not fixed the underlying vulnerability.
Various stakeholders, such as researchers, software vendors, law enforcement, and ethical hackers, are constantly checking software code for vulnerabilities.
However there will always be vulnerabilities that have not been found. These are called zero-day vulnerabilities, because if the vulnerability is undiscovered by the vendor, they have had “zero days” to fix it.
Attacks that exploit these previously unknown vulnerabilities are called zero-day attacks.
Zero-day attacks can’t be prevented entirely, but the effects can be mitigated through proper planning to minimise disruption.
Consider the example of a council that has fallen victim to such an attack. The council is attacked by a virus that is too new to be recognised by the council's antivirus software. It encrypts the council’s data, and locks council staff out of key systems.
The council’s review states that as a zero-day vulnerability, ways to prevent the attack were limited. But the council could have invested in stronger systems and processes to mitigate the consequences, such as securely stored data backups.
To avoid the same issues as our example council, it’s important to ask: How often does your council conduct evaluations of its existing assets for vulnerabilities?
Good practice is also to run simulated attacks on your IT systems to uncover weaknesses; this is called penetration testing.
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To learn more about the terms we covered, please watch our other videos.
What is ransomware and malware?
This video defines malware and ransomware, and explains how ransomware can affect councils.
What are malware and ransomware?
This video will: Define malware, define ransomware, and outline how ransomware can affect councils.
The term malware combines the words malicious and software. It refers to any software that is designed to cause harm.
Ransomware is a specific type of malware that is designed to prevent organisations from accessing their computer systems and data.
Perpetrators of ransomware attacks will use this lack of access as leverage to demand some kind of ransom, usually a payment. Importantly, perpetrators may or may not restore access to systems and data upon getting paid.
Councils should not consider paying a ransom. It is against the central government and UK law enforcement’s policy. The act may be found to be illegal if it is related to terrorist and other criminal activity.
Paying will make an organisation more likely to be targeted. Sectors that are known to pay have seen a spike in ransomware attacks.
Malware and ransomware can cause serious harm to council assets and operations. Let’s take, for example, a council officer who opens a suspicious email attachment that allows ransomware to get onto the council’s IT system.
The ransomware encrypts the council’s data and data back ups, rendering them unintelligible. This causes council officers’ computers to become unusable.
The attackers demand a large sum of money to restore the data, but the council refuses to pay because there is no guarantee that the data will be restored after payment.
It takes the council many months to recover from the attack, and the cost of restoring systems reaches into the millions, hurting its ability to deliver core business services to its citizens.
Let’s round off the video with two things your council can do to protect itself.
To lower the likelihood of falling victim, it is important to use mail and website filtering tools.
Your council may also want to consider using enterprise antivirus or anti-malware products that protect council servers and end-user devices together, rather than standard antivirus software which protects end-user devices on an individual basis.
Finally, it is important to talk to IT colleagues to learn about the security and mitigations your council has in place to protect itself!
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To learn more about the terms we covered, please watch our other videos!
What is phishing?
This video will explain what phishing is, the tell tale signs of a phishing attack and what you can do to protect yourself from them.
What is phishing?
This video will: Define phishing, point out tell tale signs of a phishing attempt.
Simply put, phishing is an attempt to trick a user into doing the wrong thing. The “wrong thing” can be many things: granting unauthorised access, downloading malware, stealing intellectual property, and so on.
A phishing attempt involves a malicious actor posing as a legitimate institution via a fake website, text message, social media platform, or by phone.
However, phishing is mainly used to describe attacks that arrive by email.
There are some telltale signs that can indicate a phishing attempt. Phishing emails will sometimes use generic salutation such as "valued customer," "friend," or "colleague." Other attacks will refer to you directly and this is called targeted or spear phishing.
The name and email address will be similar to those of people you know, but there are typically errors.
The email will usually include an urgent action that you must take, such as "submit these details within 24 hours" or "you have been a victim of crime, click here immediately."
Phishing emails often request personal information, which legitimate organisations normally will not do over email.
Finally, they may also make an offer that is too good to be true, such as offering your council a million pounds without reason.
Let’s talk about what you can do to protect yourself from a phishing attack.
Malicious actors will often use publicly available information about you to target you. So, review what information is publicly available about you.
Also, make it a habit to scan communications you receive for the telltale signs of a phishing attempt we outlined before.
If you spot a suspicious email, flag it as spam or junk in your email inbox. Let your IT department know that you've identified it as potentially unsafe.
And if you’ve clicked a suspicious link, tell your IT department as soon as you can. The earlier you tell them, the more likely they'll be able to help.
Finally, it is important to train personnel to identify and respond to phishing attempts.
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To learn more about the terms we covered, please watch our other videos!
What does good supply chain security entail?
This video explains why good supply chain security is needed and the practical steps you can take to achieve it.
What does good supply chain security entail?
This video will: Talk about the need for supply chain security, outline practical steps to take to manage supply chain security.
Councils rely on external suppliers to deliver devices, products and services.
As a result, the ability to reduce the risk of a cyber attack and remain cyber resilient is also determined by the cyber security of organisations within a council’s supply chain.
Cyber attacks can be carried out not only directly on your council, but also indirectly via your council’s supply chain. And, cyber attacks can even happen through the supply chain of one of your suppliers.
This is partly due to the fact that organisations in your supply chain may have limited resources, limited visibility of their own supply chains, and insufficient tools and expertise to evaluate cyber security.
So what does a council do to deal with supply chain risk? Your council must develop a robust supply chain risk management framework.
This framework first requires you to ask - how much risk is my council willing to take? This is known as risk appetite. It helps in determining what risk is acceptable, since it is practically impossible to do away with all risk.
You can then assign adequate levels of security controls to your councils’ contracts with suppliers, based on an assessment of risk facilitated by the framework.
For example, perhaps a council wouldn’t want to set aggressive controls on a refuse collection business who you’ve contracted to service part of your local area and is not connected to council systems.
But it would want to set more stringent controls on the procurement of a major new system to collect council tax payments.
Importantly, this depends on the council’s risk appetite.
Let’s round off this video with other practical steps your council can take to beef up your supply chain security:
Each council will need to identify the relevant people responsible for mitigating cyber risks in supply chains, so you can collaborate to develop council-wide, multidisciplinary approaches.
Councils also need to provide supply chain security awareness and education for relevant staff and stakeholders.
The threat landscape is constantly evolving with new risks and vulnerabilities. It is very important to always follow the most up-to-date guidance as given by the National Cyber Security Centre and other related government bodies.
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. The LGA has developed guidance on embedding cyber resilience in your supply chain, to find out more please click the link that pops up on your screen.
What does BCP and DRP refer to?
This video explains what Business Continuity Plans and Disaster Recovery Plans are and how they relate to each other.
What do Business Continuity Plan and Disaster Recovery Plan refer to?
In this video, we will: Define business continuity plan and disaster recovery plan, relate them to each other.
A business continuity plan, or BCP, outlines how a company will continue to operate during and after a major disruption. So a BCP normally focuses on maintaining critical functions.
These disruptions can include a fire outbreak, the breakdown of a key supplier, or a major cyber incident.
By outlining the steps to be taken in the event of a cyber incident, a business continuity plan can help to minimise the impact of an attack and ensure that critical operations can continue.
A disaster recovery plan, DRP, is the set of tools, processes and policies that support recovery following a disaster or major incident.
A DRP would be activated after a major system disruption with long-term
effects, such as a loss of data.
Both plans would form part of an organisation's overall risk management and emergency preparedness strategy, ensuring that the organisation is capable of responding to and recovering from disruptions of different severity.
But they differ in scope. BCPs focus on how to continue delivering business outcomes during an incident, while DRPs focus on recovering from an incident.
A DRP can support a BCP strategy by relocating supporting systems for business operations or mission-critical functions.
Let’s round off with two key steps to optimise the use of a BCP and DRP.
Once plans are in place, it is crucial that they are tested with simulated disruptions; otherwise, it will be unclear whether the plans will work in practice.
The results of any tests should be shared with the relevant stakeholders, and any improvements should be incorporated into an action plan.
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To learn more about the terms we covered, please watch our other videos!

Cyber unpacked - Series 2
What is encryption?
At the end of this video, the viewers will be able to:
- Define encryption
- Give a high-level overview of the encryption process
- Think about encrypting council data at rest and in transit
What is encryption?
This video will:
Define encryption
Outline how encryption works
Talk about encrypting data at rest and data in transit.
You’ve probably seen the statement “Conversations are encrypted end-to-end” when using some messaging services. But what exactly does “encryption” mean?
Encryption is a way to conceal information so that it appears to be random data unless it is decrypted back to the original version.
This is done by scrambling the data into a code, usually through a mathematical function.
Then, to unscramble the data, a key is used.
With encryption, even if an unauthorised individual accessed your data, they wouldn’t be able to understand it without the key.
Using the instant messaging scenario, encryption means that no one, including the service provider, can read the messages you send and receive from the people you communicate with, because the data is scrambled except when you or the recipient reads it.
In your workplace, encryption is a good way to protect your council’s data from being accessed by unauthorised parties.
Council data can be encrypted where it is stored, such as in a database.
It could also be encrypted when it is in transit, like when being transferred between two computer programs.
Unfortunately, encryption is also a way that malicious actors damage council data; some malicious actors will encrypt council data and ask for a ransom for it to be restored. This is known as a ransomware attack.
Let’s end this video with two questions about data and your council:
What kinds of information assets can you think of that would require protection from unauthorised access?
Can encryption be used to protect these assets?
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To find out more about ransomware, a term we mentioned in this video, please watch our video on it!
What is a firewall?
At the end of this video, the viewers will be able to:
- Define the terms network and firewall
- Differentiate between a boundary firewall and internal firewalls.
- Outline some good practice around configuring firewalls
What is a firewall?
In this video, we will:
Define the terms network and firewall
Differentiate between a boundary firewall and internal firewalls.
Outline some good practice around configuring firewalls
There are many more different types of firewalls than we were able to cover in this video. Consider this video your high level introduction to firewalls!
To understand what a firewall is, it is helpful to first be familiar with what a network is.
A network is the interconnection of computing devices, from computers, to phones, to printers, to smart devices, and so on.
Some networks are private and do not allow unauthorised users in. Some, like the Internet, are accessible to the public and are called public networks.
Firewalls are hardware devices or software programs that regulate the flow of traffic in a network.
Firewall rules or policies determine which types of network traffic are allowed, and can be based on factors like the traffic source and destination.
Checks at the boarding gate at the airport are a bit like a firewall. Before you're allowed on the plane, someone checks who you are, where you're from, and that you're authorised to go to your destination before they let you on the plane.
In a similar sense, a firewall may allow or block traffic based on the IP address of the device sending the traffic. IP addresses uniquely identify devices on a network, so comparing the IP address of incoming traffic against a list of known good or bad addresses can help control which traffic is allowed through the firewall.
Firewalls can be installed at the intersection of two networks. A firewall, for example, can be deployed to protect a private council network from certain types of Internet traffic. They are called boundary, perimeter or external firewalls in this case.
An organisation might also decide to place internal firewalls in locations within the network perimeter, to give an extra layer of security.
For example, a council might use an internal firewall to limit access to and from internal networks that contain sensitive information, like finance.
It is also possible to configure a firewall that only protects one device or host. This enables creating more personalised restrictions and makes sure the rules apply to the device no matter where it is used.
Let’s round off with two practices that are good to follow when configuring firewalls:
It is a good idea to change any default administrative password for a firewall to an alternative that is difficult to guess. It's important that firewall configurations are well known and understood - so changes to them must be carefully managed, and their set up should be reviewed regularly.
Use Multi Factor Authentication, or make sure that it can only be configured from agreed locations.
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To learn more about the terms we covered, please watch our other videos!
What are cyber risks and exploits?
At the end of this video, the viewers will be able to:
- Define cyber risks and exploits
- Apply high level risk analysis to council assets
What are risks and exploits?
This video will
Define cyber risks and exploits
Help you to consider risks to council assets and information in a formal way
To understand what risks and exploits are, it is helpful to first be familiar with vulnerabilities and threats.
A cyber vulnerability is a weakness in an information system to attack. It could be a vulnerability in technology, procedures and controls, or in how it has been implemented, which allows a malicious actor to carry out a cyber attack and inflict harm to an organisation.
Threats refer to any circumstance or event that has the potential to adversely impact an organisation.
Given what we know about vulnerabilities and threats, we can now discuss exploits and risks.
An exploit is a series of actions which takes advantage of a vulnerability to cause harm. Malicious actors can use software or sequences of commands to take advantage of them to cause harm.
For instance, a burglar’s lock picking set is an exploit. When the burglar uses the lock picking set to rob a house, this becomes an attack.
Cyber security risk brings all of these terms together.
It is a function of the likelihood of a malicious actor exploiting a vulnerability, and the impact of such an event.
Let’s think about the risk associated with two council assets. Personally identifiable information, or PII, has a high cyber security risk, because of the consequences of exposing this data to the public, as well as the reality that malicious actors will be looking for ways to obtain it.
By contrast, a list of elected councillors’ names has a relatively low risk attached, because this data is already in the public domain.
A very important thing to note here is that we have given you just one definition of risk; there are others. It’s important to not get wedded to one definition of risk.
Make sure to visit the National Cyber Security Centre website for the latest guidance on risks!
Here are some questions to take away with you as we round off this video:
Are cyber security risks on your council’s risk register?
Does your council conduct risk assessments?
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts.
Our videos on threats and vulnerabilities point out that both threat intelligence and vulnerability assessments can inform your council’s risk assessment process. We go into how to address risks in another video on risk management.
What are cyber security controls?
At the end of this video, the viewers will be able to:
- Define security controls
- Explain the three main types and functions of security controls
What are cyber security controls?
In this video, we will:
Define security controls
Explain the three main types and functions of security controls
Security controls are safeguards or countermeasures which protect a system and its information from unauthorised access, use, disclosure, tampering, or destruction. Cyber security is implemented through security controls.
There are three main types of controls: physical, technical, and administrative.
Physical security controls are tangible mechanisms, like doors, cameras, and security guards, designed to deter or prevent unauthorised access to physical facilities, systems and assets.
Technical controls manage cyber security risk and can include restricting access to and use of assets.
For example, a council might install firewalls to block unauthorised network traffic.
Administrative controls are the policies, procedures, or guidelines that define personnel or business practices in accordance with the organisation's security goals.
This would include a council's employee training, and personnel recruitment and termination strategies.
Administrative controls help to ensure that only authorised personnel have access to the resources and information they need, and that they know how to use them safely and securely.
Controls also have different functions. For each function, the different types of controls outlined above can be used.
Preventative controls refer to any security mechanism that is intended to prevent undesirable or unauthorised activities.
For example, physical controls such as fences help to secure a perimeter. Technical controls such as firewalls help to protect networks from unauthorised access.
Detective controls detect and alert to undesired or unauthorised activity while it is occurring or after it has occurred.
Physical examples of detective controls include alarms that notify guards of potential problems. Your council might have a policy that requires regular backups of data. That would be an administrative detective control.
Corrective controls include any actions taken to repair damage or restore resources and capabilities to their previous state following an unauthorised or unwanted activity.
An administrative corrective control would involve putting a council incident response plan into action.
A technical corrective control would be applying a patch to a system.
It is essential that a council has risk assessment and management processes in place to help balance the need for security controls with the available resources and potential harms and their impacts.
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To learn more about the terms we covered, please watch our other videos!
What are patching and lifecycle management?
At the end of this video, the viewers will be able to:
- Define patching and lifecycle management
- Understand the need for lifecycle management
What are patching and lifecycle management?
This video will:
Define patching and lifecycle management, and outline the need for lifecycle management
A cyber vulnerability is a weakness in an information system to attack. It could be a vulnerability in technology, procedures and controls, or in how it has been implemented, which allows a malicious actor to carry out a cyber attack and inflict harm to an organisation.
To avoid that harm, it’s important to find those vulnerabilities before the malicious actors do.
Researchers, software vendors, law enforcement, and ethical hackers, are constantly scouring software code for vulnerabilities.
When they find one, they should replace the problematic code or introduce new code, and release a new and improved version of the software.
Patching refers to the process of updating software to new, less vulnerable versions.
The failure to patch leaves a council at risk. This is because when an update is rolled out, malicious actors know that there is a vulnerability in older versions of the software. They will look for organisations that have not patched and therefore do not have the update in place. If a council fails to patch, it can be easily exploited.
Patching is a foundational aspect of what is called lifecycle management.
Lifecycle management is a process for assessing and addressing vulnerabilities of assets across their use and disposal.
It will not always be feasible to patch everything always, and a lifecycle management plan will include a framework for prioritising patches, and handling situations where patches cannot be applied.
A good example of when a council uses a version of an operating system that is no longer supported by the developer. This is known as legacy IT. While updating legacy IT can be complex and costly, the risks of not updating - and the vulnerabilities left need to be taken into account also.
Councils should consider having a plan to make sure that such software is handled as securely as possible. For example, minimising the applications that run on it, making sure they are up to date, and restricting network access to the users who really need it.
As we’ve mentioned, patching isn’t always possible immediately. Does your council have a plan for managing unpatched software? The NCSC has more guidance on lifecycle management, we encourage you to visit their website and acquaint yourself with the material.
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To learn more about the terms we covered, please watch our other videos!
What is a distributed denial of service (DDOS) attack?
At the end of this video, the viewers will be able to:
- Define denial of service and distributed denial of service
- Outline harms that may emerge from such an attack
- Lay out initial steps to defend from distributed denial of service attacks
What is a distributed denial of service attack?
In this video, we will:
Define denial of service and distributed denial of service
Outline harms that may emerge from such an attack
Lay out initial steps to defend from distributed denial of service attacks
A denial of service attack or DoS attack attempts to prevent legitimate users from accessing a system or service.
Distributed denial of service, or DDoS, is a variant of DoS that occurs when several compromised machines, as opposed to one, are used to attack a single target.
Cyber attackers typically achieve denial of service by flooding a target with so much traffic that it can't keep up, and eventually fails. The target is usually a server, which can only handle so many requests at a given time.
In DDoS, the attacker employs multiple Internet-connected devices, each of which generates a number of requests that, when combined, overload the target.
These devices could be those of willing accomplices or unwitting victims whose devices have become infected with malicious software.
DDos attacks can cause significant disruption to council services. Imagine an attack that targets a key council system, such as one that allows residents to make payments to the council.
Although the attack targets this component, all web services are rendered unavailable by the attack, including internal internet access and staff email.
Residents are also unable to manage online payments to the council, and overall receive less than usual service from the council.
A solution is discovered, but not before significant delay, reputational damage, and a large expense to the council.
In addition to being disruptive, DDoS attacks generally occur without warning. But there are protective steps that councils can take, such as having well configured detection systems and an incident response plan in place to swiftly respond in the event of an attack.
Councils can also take a secure by design approach, building security deeply into the requirements of council systems, and routinely auditing and updating them.
Sometimes a DDoS attack is nothing more than a diversionary tactic, to draw away attention from an attempt to compromise your system. So, do not become so focused on the DDoS response that other security monitoring is neglected.
Make sure to visit the National Cyber Security Centre’s website for the most up to date guidance on preparing for and responding to DDoS and DoS attacks.
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To learn more about the terms we covered, please watch our other videos!
What is penetration testing?
At the end of this video, the viewers will be able to:
- Define penetration testing
- Outline key considerations for effective penetration testing
What is penetration testing?
In this video, we will:
Define penetration testing
Outline key considerations for effective penetration testing
Penetration testing, or pen testing, involves an authorised and planned test of an IT system's security, using the same tools and techniques a malicious actor might use, in order to ensure that the system is secure.
Ensuring that the system is secure involves identifying vulnerabilities and their related risks, and recommending remedies.
Penetration testing should only uncover vulnerabilities you are already aware of, but may find more! Penetration testing is a way to validate your vulnerability management process.
Penetration tests are performed against an agreed 'scope'. This might be a network consisting of products and services from multiple vendors, such as your council's internal IT environment, Wi-Fi, end user devices or cloud services - or indeed, an individual system or service.
There are two things to keep in mind in order to use penetration testing effectively.
One is that penetration tests should complement, not replace, other forms of security validation.
Penetration tests only capture the security situation at a single point in time. But new cyber vulnerabilities are constantly being uncovered.
If a council only uses penetration tests, vulnerabilities could go undiscovered for a long time, so councils should scan their own systems for vulnerabilities regularly.
Secondly, only trained and experienced testers should run penetration tests.
The National Cyber Security Centre or NCSC holds a list of approved penetration test companies and methods under the CHECK scheme. This is a good first point of call for councils looking for penetration testers.
Please make sure to visit the NCSC website for further guidance on conducting penetration tests. The NCSC also holds a register of CHECK companies on its website.
The Crown Commercial Service’s Cyber Security Services framework agreement allows you to procure penetration testing services from CHECK suppliers.
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To learn more about the terms we covered, please watch our other videos!
What does secure by design refer to?
At the end of this video, the viewers will be able to:
- Define ‘secure by design’
- Outline the secure by design principles
What does ‘secure by design’ refer to?
In this video, we will:
Define secure by design
Outline the secure by design principles
In the context of cyber security, secure by design is an approach that proactively builds resilience against potential cyber-attacks throughout a system's life cycle. Councils have many systems - such as their case management system - and all need to consider this principle.
Secure by design applies to the full lifecycle of a system. In addition to considering security when its hardware and software are designed, organisations have to consider how they will be maintained, audited and updated routinely. This reduces the number of potential attack points and weaknesses that can be exploited, making it more difficult for malicious actors to carry out successful attacks.
This is important because too often cyber security guidance is reactive, calling for us to respond to vulnerabilities as they are discovered. We have to have the mechanisms in place to respond!
We can reduce the likelihood and impact of cyber incidents by proactively designing products and services with security in mind.
Secure by design is more than protecting from external attacks. It also involves mitigating insider risk. With a council case management system, for example, we’d want to make sure that external contractors are only able to carry out actions appropriate to their role.
In that same example, we’d also want to make sure the data that sits in the system is accurate, and that any sensitive data has the appropriate safeguards to ensure its confidentiality.
The National Cyber Security Centre, NCSC, has developed principles that are required for building systems that are both resilient to attack and easy to manage and update. These principles are divided into five recommended activities:
The first category involves preparing for a secure service, including allocating budget, resources and skills.
The second category focuses on understanding the security landscape, and how to involve security and technical architects in considering security in a broader context.
The third category aims to manage cyber security risks and offers advice on how teams can assess threats and reduce cyber risk by building security protection into the lifecycle.
The fourth category involves anticipating and responding to incidents. This means proactively and reactively managing weaknesses in the service to prevent potential security incidents.
The fifth and final category includes maintaining continuous assurance, and offers advice on how to keep track of how the Secure by Design approach is being followed throughout the lifecycle of a service.
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To learn more about the terms we covered, please watch our other videos!
What is zero trust architecture?
At the end of this video, the viewers will be able to:
- Define zero trust architecture
- Lay out the pros and cons of implementing zero trust architecture
What is zero trust architecture?
In this video, we will:
Define zero trust architecture
Lay out the pros and cons of implementing zero trust architecture
To understand what zero trust architecture is, it is helpful to first be familiar with what a network and firewall are.
A network is the interconnection of computing devices, from computers, to phones, to printers, to smart devices, and so on.
Firewalls are devices or programs that regulate the flow of network traffic between networks or hosts that have different security levels.
In a traditional network setup, devices and users on the internal, or trusted, side of the firewall are assumed to be safe.
However, with a "zero trust" approach, even these devices and users must be verified before being allowed access to resources.
A zero trust architecture does away with any implicit trust. Instead, it continuously validates and verifies trust at every stage of a digital interaction.
Signals - such as information on the location of the device or whether it is up-to-date - are used to make decisions
Combined, these signals can provide the assurance needed to grant access to a resource.
These signals can provide the assurance needed to grant access to a resource.
A key reason to implement zero trust architecture is to enhance security.
If an organisation places the majority of its security measures at the edge of a network, it will be extremely difficult to identify or control an intruder if they successfully breach that initial line of defence.
But a zero trust model works on the principle of never trust, always verify. This makes disruption difficult for a malicious actor, because every action a user or device takes is subject to some type of evaluation.
It also encourages organisations to move toward tracking activity related to user devices and services. This provides detailed information that makes it easier to detect security issues.
On the other hand, it can be difficult to implement zero trust architecture.
Zero trust isn't a standard or specification, it's an approach to designing an architecture. This can make it difficult to know if you're doing it "right".
The National Cyber Security Centre, or NCSC, has a variety of materials on zero trust architecture on its website, including principles for designing zero trust architecture and guidance on migrating to zero trust. So please make sure to visit.
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To learn more about the terms we covered, please watch our other videos!
What are SIEM and SOC?
At the end of this video, the viewers will be able to:
- Define SIEM and SOC
- Relate both concepts
What are SIEM and SOC?
In this video, we will:
Define SIEM and SOC
Relate both concepts
To understand what SIEM is, we must first be familiar with logging.
A log is a record of the events occurring within an organisation’s systems and networks. Logging is the process of creating those records.
SIEM stands for security information and event management.
It combines two distinct capabilities. One is security information management, which involves collecting and analysing logs.
The other element of SIEM is security event management, which provides a few capabilities, such as real-time monitoring of logs, notifications and the ability to see relationships between different events.
By aggregating and analysing log data, a SIEM can help identify trends and unusual activity that may indicate a security threat.
For example, if a SIEM system detects that a large number of failed login attempts are coming from a particular IP address, it can raise an alert that something suspicious may be going on.
SIEM capability can come in the form of software, hardware devices, or managed services.
SOC stands for security operations centre.
A SOC is responsible for monitoring and protecting organisations’ systems and networks against any potential cyber threats.
A SOC would be staffed with technical personnel who use various tools and controls to detect, analyse, and respond to any incidents.
Some organisations have an in-house SOC. SOCs can also be provided by third-party organisations.
SIEMs and SOCs have a symbiotic relationship.
For a SIEM to provide value, it needs to be set up correctly and have the right people and processes around it. A SOC usually helps in that set-up, and offers the right people and processes.
A SIEM is useful to detect security incidents, but a SOC can also work to reduce the likelihood a security incident will happen in the first instance. SOCs also help to respond and recover.
Please make sure to visit the website of the National Cyber Security Centre or NCSC for the most up-to-date guidance on SIEMs and SOCs.
This video is part of a series designed to expand your understanding of digital, technology and cyber security concepts. To learn more about the terms we covered, please watch our other videos!