Local government is the heart of communities in the UK and around the world. From public parks and bin collections to schools and social services, it provides the day-to-day services we need in our lives. But a combination of cuts to funding and new cyber threats are leaving these vital services and the personal data they collect open to attack.
Councils, including Copeland in 2018, as well as Redcar and Cleveland and also Hackney, both in 2020, have become one of the most tempting targets for cybercriminals using ransomware to extort public money. The two most recent of those attacks are estimated to have cost more than £20m on top of the serious disruption that went with them.
The research in Sophos’s The State of Ransomware 2021 report shows that a third of local governments were hit by a cyber attack in the past year. In more than two-thirds of those cases attackers managed to encrypt their data, and where that happened around four in ten victims paid out a ransom. This relatively high proportion of local governments paying out to cybercriminals is perhaps because only four in ten of those whose data was encrypted were able to restore their data from backup. The average cost of an attack to local government around the world was $1.64m (£1.2m).
Ransomware and the infrastructure around it are constantly evolving and adapting in technology and tactics to new defences and vulnerabilities. Attackers now not only encrypt files but steal and threaten to release them publicly if a ransom is not paid. This “double extortion” technique has become almost universal. Once that data is stolen, even if it can be recovered from backups or the ransom paid, it is out there and cannot be “un-stolen”. Nor can the trust between local government and citizens easily be repaired.
For the ransomware attackers, local government offers several attractions, including legacy systems and a relatively low level of IT resources to defend it. Attackers also know that local government is under pressure to maintain public services, something which multiplies the effect of any disruption. Despite these risks, according to The State of Ransomware 2021, more than a quarter of local government respondents globally admitted they had no malware recovery plan, the lowest of any sector surveyed.
Local authority IT professionals are under no illusions about the threat posed by ransomware. When Sophos polled 200 IT staff in this sector in March 2021, ransomware was rated the top concern by 63 per cent of respondents. As with any sector, local authorities depend on a variety of systems old and new, with some old enough to be classed as legacy – for example, applications that require server operating systems that are end-of-life or beyond. In many cases, migrating from these takes time both for budgetary and organisational reasons. Likewise, physical hardware such as PCs, mobile devices and network infrastructure is also used beyond its intended life for reasons of financial necessity. However, cyber attacks now efficiently target an ever-wider range of flaws, which means that legacy systems have turned from abstract risks into concrete liabilities.
The move to fully working from home during the Covid-19 pandemic took these risks and multiplied them even further. Again, as with other sectors, the logistical challenges of this rapid transition were massive and mean a much greater ongoing workload to keep those systems safe and secure. Even when enough devices and connectivity are available it places huge pressure on endpoint security, network segmentation, data access policies, remote access and cloud security, and authentication, and raises the risks of shadow IT.
The biggest target for any attacker is, however, the employees or end users, hence the ubiquity of targeted email phishing attacks, designed to steal credential or money. This emerged from the realisation that it doesn’t matter how much technology organisations deploy to defend themselves if this can be bypassed by a simple play on human psychology. User education is the obvious answer, changing the assumptions of trust that users make when using systems such as email. However, it’s not a magic fix. Staff and end user awareness needs to be about constant reminders as well as hands-on training and adapting to new tactics.
If local government is going to continue to be a trusted part of our community, it needs to take its security seriously because it is the security of the community it serves. We entrust it with information about our lives, the education and safety of our families, and the taxes we pay to make it happen. It is one thing to see and understand the problem, which many local governments and the people who work for them do, but it is another to take the necessary action to safeguard critical services and protect the data of residents. ●