Geoff Connell, President of Society of IT Managers (SOCITIM) and CIO of Norfolk County Council, will be a keynote speaker at the new Public Cyber Security, focusing on current and future cyber security threats faced across the UK public sector. To help set the scene for PCS Connell talked to Vivienne Raper about the growing range of cyber threats to local authorities, and the looming challenges of the European Union’s General Data Protection Regulation (GDPR).
Connell became president of Socitm, the professional body for people involved in the leadership and management of IT and digitally enabled services delivered for public benefit, in 2016, having first headed the London SOCITIM group. He’s made cyber security one of priority areas for Socitim.
He says that the challenge to local authorities on cyber threats comes at a time they’re doing more online with reduced budgets. And this trend intersects with a growth in the volume and sophistication of cyber threats. It makes for a knotty set of challenges.
Working together against cyber threats
The rise of new threats, makes it vital for public sector IT leaders, from across health, local and central government, to learn from one another.
“Our ability to protect ourselves from cyberattacks or to minimise their impact comes from working together, in a joined-up way,” said Connell. “What I can offer is an understanding of what we’re already doing to make ourselves stronger together.”
A larger online presence
Asked what cyber threats local authorities should be worried about, Connell says that local authorities had a far larger online presence than in the past making them more vulnerable to attack.
Cheaper and easier hacking
At the same time, as local authorities become more exposed to cyber threats, Connell says “it’s much cheaper and easier for someone or an organisation to launch an attack than in the past.”
He says hackers can now buy tools from companies that behave like legal businesses. On the Dark Web: “It’s quite amazing. You can see all these commercial offers – Buy One, Get One Free – for your hacking tools.”
Growing threat of cyber attacks
He warns cyber attacks are growing in scale, impact and volume, and local government and healthcare “have to be really careful about the way we do things online.”
Connell says these challenges come at a time of reduced budgets: “It’s a real challenge to make sure we can do the things we used to do in the past, never mind the new things we need to do to keep ourselves secure.”
Local authorities in ‘reasonably good shape’
Connell says local authorities are “in reasonably good shape” in terms of their cyber security preparedness. As an example, he says they need to pass UK government checks to join the Public Services Network (PSN) and health networks.
He points out that local autjorities were not hit by Wannacry in the way their counterparts in the NHS were: “If we look at the WannaCry attack in May, no local authorities were directly impacted by that, it was only in association with NHS organisations.”
Avoiding complacency, allways more to do
However, Connell warns that local authorities “can’t be complacent” and says there’s “still much work to do.”
Asked about his experience ensuring cyber security at Norfolk County Council, he explained they received around 28 recommendations for improvement in the external audit of cyber capabilities that he commissioned.
“Even an organisation that’s funded at a reasonably good level, and which takes cyber security seriously, can find quite a few opportunities to do it better.”
The right skills
Asked for tips for other local authorities and NHS organisations, the Socitim president says: “Often you’ll find [people have] good technical skills or good policy procedure skills – so make sure you’ve got both.”
He explains that people often come into cyber security from either a policy and information governance, or a PC and server background, and can sometimes lack skills to the same level in the other areas.
The new data protection act
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Designed to strengthen and standardise data protection legislation across the European Union, the regulation replaces the UK’s Data Protection Act 1998. By the time of Public Cyber Security it will be just six months until GDPR comes into force.
Connell says that because the fines associated with data loss, whether digitally or through traditional paper-based methods, will rise dramatically after GDPR comes into force, its vital public bodies ensure they are readt.
Asked how he is implementing GDPR, Connell says it’s “an improvement project”, building upon work they’ve already done to comply with the Data Protection Act.
He points out that only around 20% of GDPR requires new information governance, such as the right to be forgotten or erased.
Implications of GDPR
Connell believes the long-term impact of GDPR will be improved transparency over how people’s data is used. But he warns, in the short term, “I think it’ll be challenging because a lot of legacy systems have not been designed with that in mind.”
He worries there’s a risk that implementing GDPR could delay some new online services or cause the withdrawal of existing services that aren’t GDPR compliant.
How to implement GDPR
Asked to advise on how citizen-facing services can implement GDPR, he said: “the main one is to make sure it isn’t seen as an IT issue, but as an organisational, information management issue.”
Geoff Connell will be speaking 11.25 – 12:10 on Current Threats at Public Cyber Security, 7 December, ICC, Birmingham.
Public Cyber Security is the dedicated new conference from Digital Health focused on protecting citizen-facing public services and is free to attend for public sector information security, IT and IG professionals, with a particular focus on health and local authorities.