Cybercriminals have shown repeatedly that they love data, and the more sensitive it is the more money they can extort if they steal, encrypt, or restrict access to it.

Local governments hold millions of gigabytes of this type of data – including financial and legal information, sensitive planning details, confidential medical data, data relating to children at risk and even vulnerable women – including locations of domestic violence refuges.

And poor cyber security has led to numerous high-profile attacks against councils in the past few years.

The London Borough of Hackney was subject to a ransomware attack in which personal staff data was released, land registry information was scrabbled, and local authority payments had to be halted. Sensitive personal data also led to a year long police operation to try and mitigate the risks to individuals caused by the loss and publication of this data.

Redcar and Cleveland local authorities were attacked in early 2020 and it is estimated to have cost in the region of £10 million due to the loss of services and a need for system upgrading across many sites.

In the August bank holiday of 2017, Copeland Borough Council was hit by a zero-day ransomware cyber-attack. Within three days, most of Copeland’s files had been encrypted. Hackers demanded Bitcoin in return for the files to be returned.

As more services go online and information becomes digitized the challenges faced by local governments and the solutions to the areas of attack become more complicated.

Websites are essential to local government providing a digital connection to residents about services provided. They also may provide a portal for worker and customers, whether it is to allow remote working or to allow residents to access services. Having a single place for people to interact with your business simplifies interactions, is cost effective and efficient. But if there is a misconfiguration or vulnerability in the way the website is set up then you could be leaving your sensitive data open for a criminal.

Common website cyber threats

1. Weak passwords so criminals just log in to your systems – no technical experience required but easy to fix from your point of view.
2. Your website isn’t updated with the latest security patches – criminals know when security patches are released and will look for those sites which haven’t been updated and therefore have a known security issue that they can exploit.
3. Your website is vulnerable to SQL injection attacks – this is a technique where a criminal places malicious code into SQL statements via web page inputs and could potentially destroy your database!
4. Your website is vulnerable to XSS (Cross-site scripting) attacks – this is where the criminal compromises the interactions that users have with your website or application.
5. Your website has insecure direct object references – this is part of access control implementation mistakes which can lead to access controls being circumvented and a criminal able to access your valuable data.

Do you know if your website is vulnerable?

The only way to really know is to pressure test your site.

But do you really want to know? Nothing bad has happened so far and if you don’t know about it then surely you can’t be guilty of not fixing it?

Ask yourself these questions:

• How would the people that you represent feel if their sensitive data were stolen and sold?
• How would your supply chain feel if their confidential data were leaked?
• Would your customers have expected you to do everything you could to protect their data?

The ECRC offers members affordable web application vulnerability assessments. We work with local university students who conduct the testing and provides you with a detailed report, but explained in plain English, so you understand what the risks are and what you need to do to fix them. Find out more here: Remote Cyber Vulnerability & Threat Assessment Services (ecrcentre.co.uk)

Is there anything I can do for free?

1. Sign up to the Eastern Cyber Resilience Centre https://www.ecrcentre.co.uk/core-membership-sign-up– its free and we will give you support and guidance around the areas that you need to consider in every aspect of your business to build your resilience.
2. Get your staff to check their details on haveibeenpwned.com – you can search for your email address and telephone number against data breaches and if your details show up in them you need to change your passwords (everywhere you use the password). Once you have done this implement strong password policies. Passwords should be unique and complex. Watch our short video for more information about this.
3. Enable two factor authentication (2FA) on all your important accounts (email, social media, where you have financial information stored) – this will stop a cybercriminal from being able to access your accounts, even if they have your username and password form a data breach. You can find more about 2FA here https://www.youtube.com/watch?v=OR53Y49gAmQ&t=1s.
4. Apply all security updates to your applications, systems, and devices.
5. Get some free staff training from either the National Cyber Security Centre or through your local cyber protect officer (contact us and we can refer you).

Further guidance & support

You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.

Finally, you may have access to some sort of IT support within your business and we recommend that you speak to them now to discuss how they can implement cyber resilience measures on your behalf.