10 Questions on Cyber Security

About the Centre for Governance and Scrutiny (CfGS)

CfGS exists to promote better governance and scrutiny, both in policy and in practice. We support local government, the public, corporate and voluntary sectors in ensuring transparency, accountability, and greater involvement in their governance processes.

Governance and scrutiny are essential for the successful working of any organisation. Now, more than ever, trusted decisions are needed. We believe that decisions are better made when they are open to challenge and involve others – whether that’s democratically elected representatives, those affected by decisions, or other key stakeholders.

At the heart of better governance and scrutiny are the right behaviours and culture. Our work champions these relational aspects and designs the structures to support them, leading to more effective decision-making and improved outcomes for organisations and people.

Introduction

What is this guide about? What CfGS has done Why is cyber important?

Scrutiny committees may be dissuaded to undertake matters pertaining to cyber security as it, understandably, seems quite daunting due to the often-technical nature of the subject. However, neither members nor officers need to have detailed technical expertise in the subject. They can subject councils’ plans to challenge and take action to promote changes of behaviour on this matter within the organisation.

Good cyber security practices are important for both individuals and organisations. Technology and data now underpin our daily lives, and that technology is evolving at speed.

Service operation and delivery relies on digitised information. The “digital space” contains the most crucial business assets.
Vital life and limb services to the community now depend on information and communications technologies.
Councils continue to evolve the digitisation of their public services and interact in new ways with their workforce and citizens online.
COVID-19 has encouraged greater reliance on the internet and cloud services, changing the landscape further.

These changes open up benefits and opportunities – however, there is also an increased risk in terms of the potential for cyber attacks^{^[1]}. There is a need for improved and robust cyber security to safeguard data, infrastructure, and delivery.

The Department of Media Culture & Sport (DMCS) have advised that the cyber threat is significant and growing, yet cyber attacks are not always sophisticated. Attacks frequently succeed because of poor cyber hygiene and the exploitation of known vulnerabilities.^{^[2]} Additionally, it should not be assumed that all cyber attacks derive from the work of malicious outside actors. They may be caused unintentionally, or otherwise, by those working within the organisation.^{^[3]}

The government advise that the most significant cyber threat facing the UK comes from ransomware attacks and that there has been a significant increase in this form of attack. They also suggest that this trend will only increase, with criminals developing new techniques to circumvent cyber defences^{^[4]}, including a focus on targeting the users of technology, as well as the technology itself.

Over recent years there have been an uptick in the number of cyber attacks that have targeted local councils. According to a 2018 report by Big Brother Watch, over a period spanning five years, councils in the UK were subject to 98m cyber attacks^{^[5]}. More recently, in 2020, councils in the UK reported more than 700 data breaches to the Information Commissioner’s Officer (ICO)^{^[6]}.Ten of these councils had their operations disrupted because of breaches or ransomware. With that said, the breaches may come from multiple sources- not just cyber.

A widely reported example of a cyber attack in a council is the 2020 cyber attack on Hackney Council. The effects of this were deemed ‘devastating’ and are thought to have cost as much as £10m according to media coverage. In addition, to monetary losses, cyber attacks, like the one in Hackney, can cause significant disruption to services, with many of these services needing to be rebuilt in their entirety. If a cyber attack does occur, your council may be subject to both legal and regulatory consequences. Citizens may suffer through service disruption, or consequentially, thorough data breach.

The level of threat can vary from council to council, but all councils possess information (e.g. financial, personal) or infrastructure of interest to malicious actors, making them a target.^{^[7]} With that said, whilst cyber threats cannot be completely eradicated, the risks can be significantly minimised. How the risk can be reduced and how good scrutiny functions can aid this will be explored in more detail throughout this publication.

When discussing cyber threats and vulnerabilities, the conversation tends to focus on the role of the IT department. Whilst IT has a role to play, cyber threats can and will affect all areas and departments of the council. There is a big part for scrutiny committees and those performing scrutiny roles to play in helping to improve and refine cyber security policy and focus.

Due to the ever-changing nature of cyber threats, the scrutiny function ought to be both proactive and reactive on the matter of cyber security.

Proactive

Scrutiny committees should operate on the basis that there is potential for a cyber attack to impact on their organisation.
They should probe leadership, relevant officers, and the executive on what current preventative measures are in place, how these manage the risk, and whether they are reviewed regularly for efficacy as threats evolve and circumstances change.

Reactive

Following on from an incident, considering what lessons can be learned from the incident and the organisational response, seeking assurance that risk of recurrence and associated impacts are minimised, and identifying risks and vulnerabilities going forward.

Because scrutiny members will often be laypeople in terms of cyber security, it is paramount that there is a positive collaborative approach to the subject with technical officers who should be encouraged to provide relevant information that is pitched at an appropriate level- as things sometimes get lost in translation.

The way in which good scrutiny can make a marked difference to cyber security policy will be discussed in more detail using the 10 questions.

What is cyber security and what are the threats against it?

Cyber security is defined by the NCSC as vital to:

protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access – both online and at work – from theft or damage
prevent unauthorised access to the vast amounts of personal information we store on these devices, and online.

Attempts to circumvent cyber security are typically knows as 'cyber attacks’. Cyber attacks may just be focused on vulnerabilities in technology and/or how systems are set up – but frequently, people – be they officers or members, are exploited in pursuit of criminal goals. Good technical hygiene and awareness of security procedures are vital weapons in the fight.

Why would malicious actors seek to attack local councils? Councils hold a significant amount of sensitive data, that may be valuable to malicious actors for resale on criminal markets. They also may wish to cause disruption to services or commit fraud directly. Cyber security is vital to ensure that this information and data is secure and cannot be obtained or manipulated. It also sets out to minimise the risk to disruption that can be caused by attackers.

Types of information of interest to malicious actors:

Personal information – this is defined by the Information Commissioner’s Office (ICO) as information that relates to an identified or identifiable individual.
Special category data – defined by the ICO as requiring more protection because it is sensitive. This can be defined as information that reveals: racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, trade union membership, data concerning health, data concerning a person’s sex life and data concerning a person’s sexual orientation.
Financial information – this could be financial information of service users, the council or council employees.
Infrastructure – this may include servers and storage, as well as information on how your cyber security measures operate.
Email addresses, login details and phone numbers.
Service user/client lists

Considering the motivation of attackers - it is generally agreed that there are two different types of attack, targeted and untargeted:

Targeted attacks focus on a specific organisation or group of organisations. Significant efforts are put into the attack. Untargeted attacks look for vulnerable organisations and systems.
Attackers ‘comb the internet’, looking for a ‘way in’. Effort is generally lower, and automation is used – which makes these into an everyday event.

Examples of both can be found on the website of the National Cyber Security Centre.

It is vital that both staff and members have a broad awareness of cyber security issues to avoid unintentionally becoming part of a cyber attack – or just making mistakes that lead to unintended impacts. As Cyber Criminals seek to exploit trust to gain entry, attacks such as ‘phishing attacks’ become more common^[8].

Recent trends and developments

In early 2022 the DCMS launched the Cyber Security Incentives and Regulation Review (CSIRR), which is a follow up from the National Cyber Security Strategy (NCSS) 2016 to 2021 and accompanies the subsequent NCSS 2022. This is, effectively, a £2.6 billion strategy to improve cyber resilience of individuals and organisations across the UK.

A significant focus within these documents is on making the public sector more resilient, including helping councils protect their systems and citizens’ personal data from ransomware and other cyber attacks^{^[9]}. The Review and Strategy do envisage a more interventionist approach by Government than was taken previously^{^[10]}. The NCSC have also now published their 2022 Annual Review.

In 2021 as part of the autumn budget review the then Chancellor of the Exchequer, Rishi Sunak MP, announced that the Local Authority sector would receive £85.8m to assist in combatting cyber threats. Councils need to build the relevant expertise or resource to effectively ensure that their cyber security infrastructure and cyber health is satisfactory.

In 2020, only half of council employees received cyber training, with 45 per cent of councils employing no staff with recognised cyber security qualifications^{^[11]}. This may be because there is a hesitancy to spend money in this area due to budget constraints, the expense of training and purchasing tools/productions/solutions, lack of knowledge or that it simply may not be a priority area. However, the repercussions of a cyber attack could easily exceed the cost of building and maintaining this knowledge.

These pressures, and changes to national policy, are occurring at the same time as profound changes to working patterns and arrangements which have significant implications for councils’ digital resilience. The COVID-19 pandemic has made ‘out of office’ more of a norm, with flexible working arrangements increasingly leveraging both corporate and personal devices. Security policies and IT solutions need to be implemented to make sure that cyber security arrangements are resilient and manage any potential security vulnerabilities. More information can be found in BHIB Insurance's article on cyber security tips to keep councils online data safe.

The repercussions of a cyber attack could be very costly and disruptive if reviews of risk factors and reinforcing current cyber security policies are not undertaken.

Context and relevance for scrutiny

1. Research gathering and Asset Management

What has already been done in relation to cyber security in your council and are you using or aware of the National Cyber Security Centre (NCSC) Active Cyber Defence tools and services?

A good place to start in terms of examining cyber security practices, policy, and procedures in your council is to determine what is currently implemented. Some questions scrutiny may wish to ask, as a starting point when looking at cyber security, could be:

Does your council have a cyber security strategy? If it does not, does your council have a digital strategy and does cyber security form a clear and defined part of this?
Do you know who has leading responsibility for cyber security in your council – members, corporate leadership and ICT.
Which scrutiny committee(s) oversees changes and holds to account on the matter of cyber security?

CfGS has found that members of scrutiny committees may not be aware of what councils are already doing on cyber security. There are multiple reasons for this, including:

a lack of awareness of the threats
consideration that the subject is purely technology-led
high member and chair turnover preventing learning.

Whatever the reason, members should establish a baseline of knowledge about the fundamentals of council policy and approach in this area. It is useful, especially during research, for the scrutiny function to be able to understand the attitudes and culture within the council about cyber security, as it will inform any work that needs to be undertaken.

Furthermore, the NCSC has a wide range of tools and services that your council should be aware of and ideally engaging with. Their Active Cyber Defence tools seek to reduce the harm from commodity cyber attacks by providing vital tools and services. You can find out more on the NCSC website.

2. Leadership

How can the organisational leadership and the cabinet and executive effectively incorporate cyber security into the council’s central objectives?

Cyber security cuts across all council department and functions. If an attack were to occur, there is the potential for every aspect of your council to be affected.

One councillor that we spoke to as part of our evidence gathering exercise advised that, when their council fell victim to a cyber attack it was akin to having an epicentre that continued to ripple out. They stated that it caused months of disruption, systems had to be rebuilt at the cost of millions of pounds. Most importantly, it directly affected residents. As example, resident’s benefits were not paid to landlords. Because of the potential scope of impact, leadership must be engaged with the challenge, and must possess sufficient understanding to be effective.

Why is cyber leadership important?

Achieving assurance around cyber security arrangements should be a part of the council’s central objectives and be a feature of the council’s overarching strategy.

Ultimately, the leaders and executive set and promote the culture and values of the council. Cabinet and the political leader also set the work programme, leading the direction for policies and practices for the municipal year. From a leader’s perspective, cyber security should be an element within that programme, a running thread pervasive through all departments.

Achieving assurance around cyber security arrangements should be a part of the council’s central objectives and be a feature of the council’s overarching strategy.

Leaders across the council must collectively ensure that cyber security risks are identified as routine and managed appropriately, minimising risk. Whilst the technical elements of cyber security are likely to be implemented by trained officers, the risk is to the organisation and its departments, whose leadership are, in turn, responsible.

Relevant training for officers and members is vital. Promotion of the importance and dangers of cyber threats is crucial.

Political

The prioritisation of cyber security can be politically contentious. In terms of spend, leaders and cabinet may be hesitant to allocate significant portions of money and resources to cyber security needs. However, the costs if a cyber attack does occur can be devastating, therefore it is important to consider investing in this area. It is true that some solutions to cyber security issues will require investment in technology. However, pragmatic and forward-thinking solutions may also offer opportunities for cost savings and improved delivery in the short, medium or long term.

Selling the need to constituents to invest in cyber security may be a challenge. We spoke to councillors who advised that, on the doorstep, it was difficult to convince that funds need to be input into cyber security and related back-office staff and infrastructure, with some constituents seeing this as additional bureaucracy and a waste of public money. Public education has a vital role to play, and it may be wise to consider this within the overall cyber security strategy. Public views will shift swiftly in the aftermath of a successful cyber attack.

Within the local public sector, cyber attackers do not discriminate along political party lines, and as such there is a benefit in seeking cross party consensus with regards to proactivity on cyber security. We also noted comments from councillors in the opposition that they felt ‘out of the loop’ when a cyber attack did occur, losing the opportunity to understand both the reasons for the attack, and to contribute to lessons learned.

How does scrutiny play into this?

The role of scrutiny is crucial regarding cyber security and leadership. Scrutiny committees have the power and influence to help to guide the leadership on this matter and effectively hold it to account.

If a council has more than one scrutiny committee, it may be wise for cyber to be placed under the remit of one committee for purposes of co-ordination. The committee can then give the matter full focus, and carve out clear roles and responsibilities. Understandably, there will be a large volume of work passing through scrutiny, however cyber security is sufficiently pervasive to require ongoing conversation. Threats and risk postures change over time, they need to be considered and relayed to the leadership.

There are several questions that scrutiny can ask in relation to cyber security and leadership:

Who has responsibility for cyber security in the council, inside and outside of ICT?
Do the leadership have the necessary tools and knowledge to effectively make decisions on this matter?
Are the leadership performing due diligence on the matter of cyber security?
Is there an understanding that cyber security risk can affect all council departments and that the risk cannot be eliminated, but can be minimised?
Is cyber security incorporated into the council’s central objectives and will this be a topic that is continually reviewed?
Is there sufficient transparency on this matter?
Do members receive regular cyber security updates from senior officers and leaders – including on threats, incidents and near misses?

3. Training

How does the council have confidence that members and all staff members have the skills and knowledge to understand and play their part in action on cyber security?

Cyber security can appear quite an intimidating topic due to a focus on technical components. However, Members need not have technical expertise in the subject of cyber security to have an overall awareness of the issue and to begin incorporating approaches into their council’s strategic plans. That said, the need for training is important, so that members and officers have a basic understanding of the threats that face their organisation and how they can reduce the risks to an acceptable level.

Specific training opportunities are available for members, together with useful publications such as the LGA’s ‘Councillor’s guide to Cyber Security’. The LGA also run regular events on this topic for a range of officer and member audiences. These can be found on the LGA events page which is updated regularly.

Many councils also conduct regular or annual cyber security training. This is vital for members to take as well as officers and offers the additional benefit of understand the baseline being provided to all staff. Training regarding cyber security ought to be an ongoing priority as the threat is continually evolving. It should not only inform on organisational policy, but should also educate on the nature of the threat, personal responsibility, and the need to highlight vulnerabilities where present.

To supplement basic training, many councils will provide department specific training (e.g. in areas where sensitive data is handled), or undertaken wider training programmes, such as sending fake ‘phishing’ emails to employees. In this case, if an employee does not recognise a faked e-mail, there is opportunity to ensure that they receive additional education to understands what to look for in future.

It is also important to ensure that technical officers have the right skills and knowledge pertaining to cyber security, so they may play their part in minimising the risk of threats and identifying vulnerabilities.

In terms of the scrutiny function, there is a crucial part to be played in relation to examining the effectiveness of training, determining any gaps barriers to learning, for both members and officers. As example, scrutiny could ask why training has not taken place, or why it is not considered a priority. As with all queries in this area, members of the scrutiny committee should consider utilising the knowledge of technical expertise from within the organisation where assistive.

Additional questions you may wish to ask in terms of training and cyber security:

Is training sufficient?
Does it take account of the risks and threats to our organisation?
- Does it inform learners of our policies and expected behaviours?
- Does it encourage disclosure of security concerns and vulnerabilities?
- Is it revised to take account of new risks, threats and responses?
- How is training re-enforced? Re-training, supplementary training, etc?
- Is training mandated? What targets apply to training?
Does my council seek out, and utilise the learning and tools published from within the sector and authorities such as the NCSC?
Is there a disparity in knowledge and awareness between officers and elected members; if so, how can this be addressed?
What are our organisational barriers to learning about cyber security?
How well connected is my council with those who have developed good practice in this area?

Information about training by the NCSC can be found on the NCSC website.

4. Proactivity and review

How can the scrutiny function be more proactive on the issue of cyber security?

Case study - Durham

Durham County Council’s Safer and Stronger Communities Overview and Scrutiny Committee (SSCOSC) is a good example of scrutiny providing effective proactivity on cyber security. The SSCOSC monitors, reviews and makes recommendations linked to community safety within its statutory role to hold the local community safety partnership known as the Safe Durham Partnership (SDP) to account. It began looking at the matter of cyber in 2015, in 2017 the SSCOSC undertook a review on partnership work to prevent young people engaging in cybercrime and presented its report with recommendations to the Council’s Cabinet and SDP Board in 2018. Their work continued to 2020, focusing on reviewing implementation of recommendations from the Scrutiny Review of Cybercrime that aimed to raise awareness of this issue and sought to identify improvements to reduce the risk of young people becoming involved in cybercrime. Outcomes included the SDP working closely with the students at New College Durham, who produced an informational film in response to a live brief created by Durham Safer Cyber Group (a subgroup of the Safe Durham Partnership). In 2022 they revisited the matter and wanted to ensure that cyber enabled crime is a strategic priority. Durham County Council and partners within the SDP have done a vast amount of outreach work in the local community and have made positive gains in terms of public education and engagement on the matter.

As discussed previously, cyber security arrangements need to be continually reviewed and monitored as threats change and evolve. Therefore, proactivity on this matter by the scrutiny function is critical. Policies and practices need to be reviewed on a regular basis to ensure that risks are reduced. The scrutiny function has the means to hold the executive to account on these matters, considering whether there are potential gaps and/or inaction on cyber security policies.

Frameworks

The use of assessment frameworks can be assistive in determining the posture of the council against good practice, and indeed there may already be artefacts in place from annual compliance exercises which your council may be required to undertake, for example:

The Data Security and Protection Toolkit (DSPT, NHS Transformation Directorate) requires an annual self-assessed return for councils in England who work with NHS originated healthcare data. The return is focused on the NHS National Data Guardian’s 10 data security standards^[12]., which include valuable ‘good practice’ requirements in relation to Cyber Security.
The Public Services Network (PSN) IA Conditions. The PSN is a pan local government network to which most councils will be connected. An annual return, signed by the Chief Executive and stating security practices is required, as well as technical testing to determine IT vulnerabilities, plus a remedial action plan to manage them.
The Payment Card Industry Data Security Standard (PCI DSS) are a set of security standards designed to ensure all those that accept, process, store or transmit credit card information maintain a secure environment^[13]. If this applies to your council, more information can be found on the PCI Secruity Standards Council.

Whilst it may be of benefit for scrutiny committees to review these artefacts, the NCSC’s Cyber Assessment Framework (CAF) is currently being considered by DLUHC as a mechanism by which councils may assess their cyber security posture, and there are benefits in familiarising with its requirements. Additional to this, as the PSN network is to be deprecated in 2023, CAF is likely to be the replacement mechanism through which assurance of cyber security will be sought.

The scrutiny committee can use frameworks such as CAF to identify whether there are any discrepancies between its proposed Indicators of Good Practice and their own council’s approach.

Lastly, but not least, the LGA currently offer a peer-review based review of cyber security arrangements, through their Cyber 360 framework. This is based from the CAF, and offers the opportunity for an external review of cyber posture.

Technical monitoring

Hundreds of thousands of operations occur on council networks and IT systems per day. Increasingly, councils have invested in solutions that proactively seek out those operations that might be malicious, or which might indicate a potential cyber attack.

Whilst this is a technical area, which should be better understood through the advice of technology-focused officers and experts, scrutiny committee members should nonetheless aim to understand whether networks and

systems are monitored, what for, and how a response might be made if the worst were to be discovered, by who.

The latter feeds into the requirement for there to be a forward plan and proactive stance on recovery and response planning, were an attack to take place.

Additional questions that scrutiny committees may wish to ask about proactivity are as follows:

How does the council currently assess its cyber security posture against good practice, and how do we plan improvements where necessary?
Does the council approach to cyber security posture consider the key objectives, principles and good practice indicators set out within the NCSC’s CAF?
Have the council taken opportunities for independent review of its approach to cyber security where available?
How does the council monitor its networks and IT systems proactively for issues and concerns?
Has the council identified risks and vulnerabilities in its systems and networks and are they minimised to an appropriate level?
Has the council considered its response to a cyber security incident and developed plans to ensure resilience and effective response?
Can the scrutiny function be involved in testing these cyber-resilience plans?

5. Asset Management

As Asset Management is a cornerstone for other areas of cyber security, does the scrutiny function have confidence in the current asset management system in that it adequately supports delivery of services and other important operational matters?

Assets, in the context of asset management, are defined by the NCSC as anything that can be used to produce value for your organisation^{^[14]}. For context, in terms of assets that relate to cyber security, these include information, such as customer data and types of technology, IT hardware including laptops, smart phones, and tablets as well as comprising operating systems, network resources, software licenses and applications. With that said, the definition of asset management can vary, it can be information assets, technical assets or both. Scrutiny needs to understand the nuances of this.

Asset management provides the foundation for most other areas of cyber security, and good asset management ensures the smooth running of your council’s daily operations and delivery, as well providing a basis to efficient decision-making^{^[15]}. Technical asset management is predominately under the responsibility of the IT department, but in the wider context of potential threats, it is useful for scrutiny members to be aware of its pervasiveness and the weight it holds. This is especially true when considering it at information level – who knows what information is where.

Your council’s IT department will need to be aware of the nature, location and functions of each technical asset, this being hardware and software. This may be in some sort of ‘centralised database’, though this basic data must be supplemented with information that confronts challenges surrounding the changing vulnerabilities that affect IT solutions, and thus which devices may need updating and what operating systems they are using.^{^[16]} If your council has such an IT asset management system, its contents will need to be continually reviewed to take into consideration new threats. Again, whilst this is a job for the ICT department, members and officers may wish to consider points like this when considering wider cyber strategy plans. Replacing, updating and supporting systems requires the support of leadership, especially where costs beyond everyday are involved.

Additionally, it is best practice to ensure that operating systems and security functions, such as firewalls, are updated when necessary. To understand when this is required, it is important for relevant IT employees to engage with advice from organisations such as system suppliers, security forums and the NCSC.

Whilst the above advice is more geared towards the officers and IT professionals themselves, it is important for members to have the baseline knowledge of asset management in order to be better informed about their wider cyber security framework and therein identify any relevant gaps.

Scrutiny can add value in terms of asset management when looking at cyber security more generally. This can be by tasking relevant staff to review the current asset management approach and data, and seeing where they may fall short, as well as asking how often this is updated and considered.

Having an effective and competent asset management system linked in with management of vulnerabilities increases resilience against attacks because it allows the organisation to identify those vulnerabilities proactively, ensuring that the risks can be managed.

Questions to ask regarding asset management:

Does my council have a centralised asset management register and how is this defined, would this be information assets, technical assets or both?
If you do have an asset management system, who is responsible for the upkeep and reviewing of the asset management register?
How do we ensure that we know about updates and security functions, does this link to other parts of the asset management register?
How does our management of assets and their vulnerabilities tie in with our cyber security risk register? Are management aware of their level of vulnerability?

More info about Asset Management can be found in the LGA Cyber 360 Framework and on the NCSC website.

6. Risk Management

How can scrutiny add value in terms of ensuring that cyber security is effectively considered as part of your council’s risk management procedures?

What is risk management and how does this relate to cyber security policy?

“Risk management enables organisations to ‘create plans for the future in a deliberate, responsible, and ethical manner. This requires risk managers to explore what could go right or wrong in an organisation, a project, or a service, and recognise that we can never fully know the future as we try to improve our prospects”’^{^[17]}

Or, in simpler terms – risk management enables us to make plans and increase the likelihood of their success by avoiding threats. Robust considerations of risk focused on cyber security “ensure that risks to essential services are identified, assessed, prioritised and managed in line with the council’s defined risk appetite’^{^[18]}. This leaves a number of areas to consider:

Cyber security risk governance:

Risks, and the processes used to manage them will differ from council to council – however, it is vital that there are working processes in place to identify, evaluate and manage risk across the organisation.
Cyber security risks and IT risks should be governed in the same way as other business areas, to ensure they are linked in with your organisational goals and strategy. However;
Your council will need to invest time and energy in ensuring that resources are available who can assist in determining cyber risks and approaches to their management to ensure effective governance.

Cyber security framework:

Your approaches and efforts to maintain cyber security should be traceable back to risks which require management.
Knowledge and awareness of those risks and threats should be communicated between departments and relevant stakeholders to validate that approaches are well considered and effective in all necessary areas.
Policies and procedures should also be founded on and linked back to the management of risk, as well as leveraging opportunities where beneficial.

Cyber security risk assessment:

Risk assessments will need to be undertaken by your council, supported by appropriate knowledge and information, to recognise and understand the nature of risks and pinpoint vulnerabilities.
Risk assessments must be seen as an ongoing process – the nature of risks, threats and vulnerabilities changes on a daily basis.

Cyber security risk treatment:

Risks should be treated or avoided by implementing appropriate management controls, in adherence with the council’s wider risk management policy.

Scrutiny committees have an important part to play in terms of considering the council’s cyber security risk management policy and procedure. When scrutinising this matter, there is opportunity for members to probe what governance approach is right for them. Looking at elements such as, how the council will manage security risks in different business contexts and cyber security feeds into the wider risk management framework.

Members and decision makers need to ensure that they have the necessary tools and information when looking at risk management, the use of technical experts will be imperative here. Underpinning all of this is a culture of recognising that cyber security pertaining to risk management is a ‘given’ and that it needs to be included at all levels.

Questions to ask regarding risk management:

How will your council incorporate cyber security into your wider risk management plan?
Is information readily available and presented in a way that is easy to digest to ensure that members can make competent decisions in relation to cyber security?
Is there a culture within the council that recognises that cyber security is unilateral and needs to be incorporated at all levels within the council pertaining to risk
How will your council ensure that risk is effectively monitored in terms of cyber security?

You can read more on this on the NCSC website.

7. Supply chains

Is the scrutiny committee assured that risks are identified and managed effectively in relation to your supply chain partners and is this monitored regularly?

Your council will likely conduct business with a range of partners, suppliers, and stakeholders. These may include NHS bodies, social care providers, contractors, housing associations etc. Your supply chain may involve multiple partners and varying levels of integration – cyber threats may become relevant at any part of this chain - it is vital that you understand the nature of the supply chain, and the processes in place to safeguard your information and systems from threats.

You will need to ensure that your scrutiny committee is aware of^{^[19]}:

Who has responsibility for cyber security at the organisation within your supply chain, and how it links in with procurement;
The cyber security policies and procedures of organisations in your supply chain;
There are measures in place that ensure that the supply chain security is reviewed and vulnerabilities are detected.
Who is responsible for undertaking the supply chain cyber security processes and policies in your council;
Whether there is a clear feedback programme to organisations in your supply chain if you have questions about their practices;

Questions scrutiny committees may wish to ask in relation to cyber security:

Do we securely share information with third parties in our supply chain, how do we do it, and how do we monitor that processes are being followed?
Are we able to communicate our cyber security strategy and requirements clearly and competently to those in the supply chain? Do organisations in our supply chain share our understanding of risk and have they put into place their own mitigations to our satisfaction?
How do we ensure we only work with partners who manage security to our standards, and how do we continually monitor our dealings with the organisations in our supply chain?
Is there a policy and procedure in place if a problem arises in relation to cyber security within our supply chain? What would an effective escalation mechanism look like? Who would find out what, and when?

8. Data management

Is your data secure?

Data back-up is fundamental in this digital age, especially as much of your council’s data is valuable to malicious actors. Data must be protected from outside actors, but also from modification and deletion (within GDPR guidelines, though this would not apply to financial data). The NCSC advises that data should be protected in transit, at rest, and at end of life (that is, effectively sanitising or destroying storage media after use)^{^[20]} You should make sure that you are not retaining data that you no longer require. More information about data retention can be found on the Information Commissioners Office’s website.

Members and officers might have their own personal devices, here it is crucial that your data is secure, protected and the risks of threat are minimised. This should be in line with organisational policies which aim to reduce the risks from personal device usage. Though it is important to add here, that many officers and councillors will not have ‘personal devices’ that they use for work, they will be given devices by their local authority. If this is the case, usually is it then the responsibility of the authority to have stringent back-up policies in place. For example, the IT department will be the main ‘admin’ on your device, that can remotely add or remove programmes and can back-up data. Whilst this is a job for the IT professionals and departments, it is important for scrutiny to be aware of it, when overseeing the wider cyber security strategy, for example, how often this may be reviewed or updated.

Backing up data

A data back-up is defined by the NCSC as a copy of your data that is stored in a separate, safe, location. If access to data is lost, then you will then be able to obtain a copy of it from your back-up.

Depending on how your organisation is set-up, back-ups may be stored on the internet (‘in the cloud’), on disk storage within your IT infrastructure or that of your suppliers, or on tape. Regardless of where, backups must be:

Secure from unauthorised access, tampering and loss;
Comprehensive – sufficient information is backed up to enable you to recover business functions;
Timely – having a backup made 6 months ago means that you will lose 6 months of information if you are forced to restore from it;
Recoverable – you need to know that your backups actually work, and they must be recoverable within a suitable time period.

Depending on the risks, you may need to have multiple back-ups stored in multiple locations.

In the case of a ransomware attack, attempts are made to corrupt, or encrypt any data to which the attacker has access – and this can include backup data. You should be aware of whether you have back-ups are ‘immutable’ – i.e. sufficiently separated from everyday storage that an attacker cannot reach them.

Questions that scrutiny committees can ask regarding back-ups

What methods of back up do we use, e.g. cloud storage, tape, external hard drives and how are these managed in line with the goals above?
Is important data (see the introduction section for an overview as to what constitutes important data) backed-up in multiple locations and ways and does it need to be?
What is our current data retention policy, and does it adhere to the wider information management architecture policies, such as those set out in FOIA, GDPR and EIR?
How is data back-up monitored?
Is there a need to back-up officers’ and members’ devices? If so, are back-ups regularly reviewed and is training on data back-up readily available?
What advanced access control do we have on sensitive data, who has access to this and why?

9. Response planning

What are the response, recovery, and continuity plans for cyber incidents?

Cyber security policies and procedures should consider how the council would detect an incident, manage it, and operate during and following it. Incidents do occur, and no level of preparation offers a guarantee of invulnerability. It is important to be prepared for them, to examine your capabilities and explore where vulnerabilities may lie.

The National Institute of Standards & Technology (NIST ) expresses this as five functions, of which the last three are most pertinent in this context:

Identify: What assets and processes do you have, how will risks be identified and managed?
Protect: Implementation of functions and resources, including trained people, to manage those risks.
Detect: How will you monitor for, or be aware of an incident?
Respond: How will you act when an incident occurs, and how do you learn from incidents?
Recover: How do you plan for recovery of your services, implement improvements based on lessons learned, and communicate to stakeholders?

Your council will need to have a comprehensive incident response framework as well as understanding the need for incident management ^{^[21]}.

To form an effective response plan, it is integral that your council is regularly testing and undertaking exercises that identify where the incident response is robust and where it falls short. Exercises should consider a range of potential incidents, and should be seen as an opportunity to involve diverse parts of the organisation, as well as IT and Business Continuity and Emergency Planning teams.

Within your incident response plan, you will require plans for if your services and operations are disrupted, taken offline, are inaccessible or subject to data breach. You will need to consider the impact on services, and how you would maintain them or handle their absence for an acceptable period of time, whilst managing issues within your community.

Incident response plans must also consider how normal operations should be resumed, and in what priority order. Approaches for specific service areas, because different services may require different plans (e.g. benefits vs. housing) – however, you must be conscious that the resource to enact them may be shared across the council.

Scrutiny committees can provide a significant role in with regarding to determining the response plan for cyber security. Scrutiny members should keep an informal watching brief over developments in this area, bringing things to committee if they feel there are urgent or problematic issues that need to be dealt with.

Scrutiny committees can also assist in engendering a culture whereby it is understood that response planning is a matter that is relevant for all facets of the council. Scrutiny committees can highlight where there may be gaps in the incident management plan and the overall incident response strategy.

Questions scrutiny committees may wish to ask regarding response planning:

Do we have a comprehensive, effective response and recovery plan in the event of a cyber attack or incident?
Do we have measures in place to ensure that work and operations are able to carry on as normal, or at minimal acceptable levels in the event of an incident?
Have we considered how services will operate in the event of systems not being available for prolonged periods of time?
Does our council continually monitor its environment for current cyber risks and vulnerabilities to determine the potential for, and nature of, likely attacks?
What is our process for initially responding to a cyber security incident?

10. Lessons learned

If an incident were to take place, how can we learn from this and improve?

If a cyber security attack were to take place, it is important to recognise why and how this happened, and how measures can be implemented to ensure that there is a reduced risk and prevent potential reoccurrence.

As stated previously, it is impossible to eliminate the risk of cyber threats, this is due to the inherent nature of cyber threats in that they are constantly evolving and changing.

However, if your council were to fall victim to a cyber attack or incident, it there is an opportunity to learn from this and understand why and how this happened.

Scrutiny committees can proactively look at this issue as part of response planning, but should also consider asking questions as to why the issue occurred and how there can be improved processes in terms of identifying threats and vulnerabilities, managing risk, response and recovery. Scrutiny can also form part of the council’s formal debriefing processes from operational incidents and ensure that they have reasonable input.

Questions scrutiny committees may wish to ask regarding lessons learned:

Has your council identified the source of the incident and are there now measures in place to reduce the risk of this reoccurring?
Have the details of the incident been documented effectively and stored in a secure place?
Will there be a review into how this happened, and will cyber security measures be looked upon closely because of the incident?
Are decision makers been transparent and communicating with relevant officers, members and stakeholders?

Case study - Hackney

Hackney London Borough Council fell victim to a serious and sophisticated cyber attack in October 2020. The incident meant that many of their systems were unavailable, such as those that permitted residents to pay rent, council tax and to access housing benefit payments.

The attack was devastating and was part of a wider, growing trend of similar attacks on large organisations across the UK and worldwide. It came at the time when the council was already grappling with the impact of the COVID-19 pandemic.

The Council immediately began working with the NCSC, who supported the investigation into the attack. They also worked alongside the National Crime Agency (NCA) and Information Commissioner’s Office (ICO). The council’s Audit Committee received a number of updates on the attack and recovery, and also benefited from an independent audit carried out in order to assess the background to the attack, how it happened and from there, how they can improve their processes and systems going forward.

Most of Hackney Council’s services were up and running again around one year later, recovery efforts in that time involved: writing to thousands of customers affected by Council Tax service requests, working through backlogs in some other services, in particular- Business Rates, benefits, housing waiting lists and Planning and making corrections to bills.

Pertaining to why this happened, the council advised that they had made significant progress in moving their ICT systems to industry leading cloud services, but many of their key systems had not yet migrated to the cloud and were impacted by the attackers. The Council has advised other local authorities to perhaps consider migrating to ‘modern, cloud-based technologies’ to help them reduce cyber risks, highlighting the rapid increase in cyber threats. Whilst the risks of moving to the Cloud also require consideration, a cloud-based approach can often have benefits.

Hackney Council are keen for others to learn from their experience and emphasised the importance of having a robust cyber security framework and response and recovery plan. They have worked hard since the attack to ensure that officers and members have sufficient knowledge and relevant training in relation to cybercrime and how it can be minimised.

The Audit Committee and Overview and Scrutiny Committee played a crucial part in response and recovery, making sure that there was member level scrutiny and that they had regular oversight of the matter.

Jargon buster

National Cyber Security Centre: The NCSC is the authority on the UK’s cyber security environment, sharing knowledge, addressing systemic vulnerabilities and providing leadership on key national cyber security issues.^{^[22]}

General Data Protection Regulation: The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is: used fairly, lawfully and transparently, used for specified, explicit purposes, used in a way that is adequate, relevant and limited to only what is necessary, accurate and, where necessary, kept up to date, kept for no longer than is necessary, handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

There is stronger legal protection for more sensitive information, such as: race, ethnic background, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for identification), health, sex life or orientation, There are separate safeguards for personal data relating to criminal convictions and offences.^{^[23]}

ICO: The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

ICO is an executive non-departmental public body, sponsored by the Department for Digital, Culture, Media & Sport.^{^[24]}

Anti-virus or Anti malware: These programs are designed to detect and remove viruses and other kinds of malicious software from your computer or laptop.^{^[25]}

Malicious software: Known as malware - is code that can harm your computers and laptops, and the data on them. Your devices can become infected by inadvertently downloading malware that's in an attachment linked to a dubious email, or hidden on a USB drive, or even by simply visiting a dodgy website.^{^[26]}

Cloud computing: The cloud is the internet. “Cloud computing” represents all the services you can access across the internet. Many organisations have moved their technology out from their own datacentres into services hosted by third parties on the internet (e.g. their e-mail).^[27].

Multi Factor Authentication (including ‘Two Factor Authentication’): When logging into a device/account, you will do this usually with a password. Passwords alone can be vulnerable to malicious actors, and Multi Factor Authentication is an additional layer of security. For example, as well as your inputting your password, you may also be sent a text to your mobile with a verification code (you should have already securely added your mobile number)

Firewall: A firewall either permits or blocks a requested network connection—such as a website, an e-mail, or a file transfer—based on a set of policies determined by a network administrator or personal user. It is used to protect internal networks and private or sensitive data. A firewall also logs information about network traffic, which can help an administrator understand and prevent attacks^[28].

Endnotes

[1] Cyber and information security (nao.org.uk)

[2] 2022 cyber security incentives and regulation review

[3] Local gov Investigation warns council data for sale on dark web

[4] 2022 cyber security incentives and regulation review - GOV.UK (www.gov.uk)

[5] Big Brother Watch Cyber Attacks in Local Authorities

[6] LocalGov.co.uk - Your authority on UK local government - Councils reported 700 data breaches last year

[7] LGA Councillor's Guide to Cyber Security

[8] NCSC Phishing

[9] N ational Cyber Security Strategy 2022

[10] 2022 cyber security incentives and regulation review

[11] LocalGov Councils reported 700 data breaches last year

[12] Data Security and Protection Toolkit - NHS Digital

[13] Q1: What is PCI? - pcicomplianceguide.org

[14] Asset management - NCSC.GOV.UK

[15] Asset management - NCSC.GOV.UK

[16] IT Asset Management (nist.gov)

[17] Risk management guidance - NCSC

Appendix

There are a number of sources in which you may find information around cyber security arrangements and challenges, including:

performance information from across the authority and its partners
finance and risk information from across the authority and its partners
corporate complaints information, and aggregated information from political groups about the subject matter of members’ surgeries
business cases and options appraisals (and other planning information) for forthcoming major decisions. This information will be of particular use for pre-decision scrutiny
reports and recommendations issued by relevant ombudsmen, especially the Local Government and Social Care Ombudsman.