We are seeing more and more, news reports of local councils falling victim to one cyber-attack or another, causing no-end of disruption both within the organisation and externally. For example, a ransomware attack on one city council left a number of streetlights permanently on day and night, with another council claiming it was fighting off 10,000 attacks a day.

According to the ICO (Information Commissioner’s Office), cyber-attacks on local authorities increased by 24% between 2022 and 2023, with three-quarters of incidents arising due to phishing scams.

So, we sat down with Ryan James, Corporate Information Security Officer (CISO) at Merthyr Tydfil County Borough Council – the first council in Wales to make cyber resilience a must-have for all businesses it tenders with – to learn how its tackling this growing issue and what positive changes it’s seen since it launched this cyber initiative.

We reported back in 2021 that Merthyr Tydfil was the first in Wales to make cyber resilience a must-have for all businesses it tenders with. How was this received by your supply chain and what kind of difference has it made to your cyber security as a whole? 

 Since we introduced cyber accreditation as a mandatory requirement for doing business with us, our supply chain partners have taken several steps to align with this requirement. Many suppliers have proactively upgraded their cyber security measures, implementing new technologies and protocols to meet criteria. This has led to an overall improvement in data security practices across the supply chain.

Most have been supportive of this initiative, recognising the importance of cyber security in safeguarding their own operations, but also realising that cyber resilience is a requirement for nearly all organisations they want to do business with.

Broadly speaking, what internal cyber security measures and processes has Merthyr Tydfil put in place to ensure their online systems remain safe?

As an organisation, reviewing our security posture is an ongoing exercise and is extremely important for all organisations to do. We are pleased to be part of CymruSOC, a key initiative in Wales, launched to protect public sector organisations from cyberattacks. It is the UK’s first national security operations centre and plays a crucial role in safeguarding Welsh local authorities, fire and rescue services, and public sector bodies by providing a shared cybersecurity infrastructure.

Do you think there is an increased awareness and greater demand for better cyber security amongst businesses/ organisations in your local area?

 Definitely, and this is driven by key factors such as the rising cyber threat being reported in the news – smaller businesses that may not have considered cyber security previously assuming they would not be a target, are now more aware.

They have an increased digital dependence, accelerated by the COVID-19 pandemic, and know that their need to secure these digital environments has grown significantly. Organisations like us require their suppliers to meet certain standards to protect their own infrastructure from being compromised through third-party vendors. This has led to greater awareness and investment in cybersecurity measures across businesses and organisations in our local area.

 Is cyber security something you actively promote in your area amongst the business community? How does Merthyr Tydfil business community go about raising awareness of supply chain security to the local business community?

 We do this through a combination of education, partnerships, and practical resources. Through business networks we have held workshops tailored to SMEs covering basic cyber security practices such as recognising phishing attempts, using strong passwords, and securing networks. We point SMEs to other organisations such as the Cyber Resilience Centre for Wales (WCRC) and National Cyber Security Centre, and the resources and training they provide to help them understand and improve their cyber security posture. They offer easy to understand guides, toolkits, and checklists that they can implement immediately.

 What advice would you give other Welsh councils when it comes to better cyber resilience?

 Adopt widely recognised frameworks like Cyber Essentials, Cyber Essentials Plus and ISO 27001. These standards help ensure that councils maintain baseline cyber security practices and meet regulatory requirements. Cyber awareness and training are important ensuring staff at all levels are trained in cybersecurity best practices. Board level training is important also, so senior managers understand their responsibilities and the questions they should be asking to ensure the organisation is in the best position it can be in terms of cyber security.

Ensure that incident response plans are up to date and tested regularly through simulations or tabletop exercises – involving all service areas such as emergency planning, communications, HR, finance etc. It is also important to foster a culture of collaboration amongst Welsh Councils by sharing cyber security best practices, incident reports, and lessons learned – it can help raise the overall level of cyber readiness across the region and create a stronger, unified defence.

If you would like to become a member of the WCRC, it’s free to join through our core membership option. Membership provides government-approved guidance, along with practical resources, regular cyber updates, tips and access to a local network here to help you protect your business and people. Alternatively, please contact the team to discuss your cyber requirements.