Cybercriminals have shown repeatedly that they love data, and the more sensitive it is the more money they can extort if they steal, encrypt, or restrict access to it.

Local governments hold millions of gigabytes of this type of data – including financial and legal information, sensitive planning details, confidential medical data, data relating to children at risk and even vulnerable women – including locations of domestic violence refuges.

And poor cyber security has led to numerous high-profile attacks against councils in the past few years. In the August bank holiday of 2017, Copeland Borough Council was hit by a zero-day ransomware cyber-attack. Within three days, most of Copeland’s files had been encrypted. Hackers demanded Bitcoin in return for the files to be returned.

The London Borough of Hackney was subject to a ransomware attack in 2020 in which personal staff data was released, land registry information was scrabbled, and local authority payments had to be halted. Sensitive personal data also led to a year long police operation to try and mitigate the risks to individuals caused by the loss and publication of this data.

Redcar and Cleveland local authorities were also attacked in early 2020 and it is estimated to have cost in the region of £10 million due to the loss of services and a need for system upgrading across many sites.

As more services go online and information becomes digitized the challenges faced by local governments and the solutions to the areas of attack become more complicated. One thing is simple however, strong passwords reduce the chance your organisation will be compromised.

So how can local government make sure their passwords are strong and safe?

This will need to be led from the CEO and senior management team and will need to be done in conjunction with any in house or outsourced IT support. But the following tips hold true.

1. See what passwords you and your staff have which are already known. Why not run a poll to see who has the most/least breaches? Haveibeenpwned.com is a website where you can enter your email address, telephone number, and see if your information has been captured in a data breach. As a business owner you can also register your domain and get notified when your domain pops up in another breach.
2. Have a clear password policy for staff and tell them why having strong, unique passwords are essential. If you need help with this, our affordable student services offer security awareness training. Why don’t you make a booking to discuss further?
3. Enable Two Factor Authorisation wherever you can, but especially on your emails and social media accounts. Even with the best passwords, once someone knows that password then the system is not secure. With 2FA, even if the password and username are known, the criminal won’t have access to the second verification factor so they shouldn’t be able to just “log in”. You can find more about 2FA here https://www.youtube.com/watch?v=OR53Y49gAmQ&t=1s.
4. If your staff have loads of passwords to remember, consider getting an enterprise password manager so they only have to remember one and the password manager generates and remembers the rest – goodbye reused passwords.
5. Join the ECRC with free membership. Core members receive regular updates which include the latest guidance, news, and security updates as well as a series of "little steps" emails designed to get your business cyber resilient. https://www.ecrcentre.co.uk/core-membership-sign-up
6. Get free staff training from either the National Cyber Security Centre or through your local cyber protect officer (contact us and we can refer you). Or speak to someone at the centre about our low-cost affordable training options https://www.ecrcentre.co.uk/contact-us

Password security

The below graphic represents the time to brute force a password using current technological capabilities. Pretty scary when you think of what your passwords are right now?

So, passwords should really be in the top two tiers to be effectively secure.

An ongoing issue is that the more complex the password the more difficult it is to remember - and with the general lack of uptake around password managers the NCSC guidance continues to encourage staff to use three random words as a password instead.

To find out more general stuff about passwords why not watch our short videos?

Further guidance & support

You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.

We also provide free guidance on our website, and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.

Finally, you may have access to IT support within your business and we recommend that you speak to them now to discuss how they can implement cyber resilience measures on your behalf.

Reporting Cyber Crime

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online.

Forward suspicious emails to report@phishing.gov.uk.

Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

By reporting phishing and cyber crime you could be helping protect other organisations. The NCSC’s Takedown Service, which removed more than 2.7 million scams from the internet last year alone.