UK councils are suffering an average 37 cyber-attacks per minute as a result of inadequate training, according to a report by Big Brother Watch.
A study by the privacy rights group found that local authorities in the United Kingdom were subjected to some 98 million cyber-attacks between 2013-2017, with at least one in four councils experiencing a data breach as a result.
Despite this, more than half (56%) of councils who experienced a breach or loss of data did not report it.
The report is based on a Freedom of Information (FOI) request sent by Big Brother Watch to every UK local authority. Responses were provided by 395 councils – representative of nearly 95% of all local authorities in the UK, according to the group.
It found that 114 councils experienced at least one cyber security incident – referring to an actual data breach – between 2013 and 2017. This amounted to a total of 376 incidents over the four-year period.
Merton and Westminster councils suffered the highest number of data breaches, with three each. This was followed by the councils of Dacorum, Lincolnshire County, Derby, Canterbury, Warwick, Shetland and Tonbridge Malling, which each suffered two cyber security incidents resulting in a data breach between 2013-2017.
Data breaches and losses most commonly came as a result of human error, due to a lack of training: the findings revealed that 75% of councils did not provide mandatory cyber security training, while 16% provided no cyber security training whatsoever.
Big Brother Watch suggested that cyber security was not being “appropriately prioritised” by local authorities, which it said was particularly concerning given the “every-expanding troves of personal information” being held by councils on members of the public.
“While some councils have taken measures to face the ever-growing threat from cyber-attacks, the areas of staff training and reporting of successful cyber-attacks need urgent attention,” the report read.
“Cyber-attacks are not only designed to breach computer systems, but also to exploit humans who are often the weakest cyber security link. The ability to identify threats must not be reserved to ICT specialists but spread throughout the staff body.
Increasing cyber awareness
Amongst its conclusions, Big Brother Watch recommended that all local authorities should offer compulsory training in order to increase “cyber security awareness” among staff.
It also suggested that councils should reprioritise funding from surveillance and data collection toward cyber security, in addition to establishing a protocol for reporting incidents to the police, Information Commissioner’s Office or the National Cyber Security Centre.
“Under the banner of data-driven government, [councils] are seeking to actively gather more information about people,” the report stated.
“This accumulation of big data evokes not only concerns about ethics, rights and violations of privacy, but also about how equipped councils are to protect citizens’ sensitive data. The number of serious cyber-attacks is forecasted to significantly rise in the near future, making cyber security risks a clear priority.”
A Public Accounts Committee meeting in February heard that every NHS trust tested against cyber security standards had failed.
Following a review into the WannaCry incident that affected NHS trusts in 2017, NHS England CIO Will Smart has called for the appointment of a national chief security officer within the NHS.
1 March 2018 @ 12:41
Maybe we should all be spending more on security, and it seems in terms of local authority definitely need to do more on awareness, but this seems like pretty poor analysis to me. The attacks per minute is no surprise it just depends how you measure it, and the report notes this fact. Are these attacks on firewalls, or mail attachment type things, nearly all of which normally get blocked at firewalls anyway? It seems they are, as this is what was requested, though not complied with by all who answered their query. Why report every single probe on a firewall, it’s just noise, but that’s what they want, because looking at the authors the idea of this report is to sensationalise it. Although there are definitely some security issues in there, I strongly suspect the majority are data breaches of a different kind, a mixture of things like people emailing the wrong person, or straightforward loss, even of physical data ie paper. The report isn’t clear on this, which kind of confirms it and therefore, I assume no link with “cyber” attacks. The way this report is written it’s just scaremongering by a group who seem to be anti data collection in general, so it’s another angle for them. SAD!