The recent ransomware attack on Leicester City Council is a stern reminder of how vulnerable UK local councils are to increasing cyber threats. How should local councils defend themselves?
The council not only experienced a massive 1.3 terabyte data theft but also saw its support services shut down, including child protection, adult social care safeguarding, and homelessness. Even weeks after the attack, its impact continues to show, as the city’s lighting systems are still disrupted. According to reports, several streetlights across the city are being lit all day, affecting the council’s energy consumption.
However, this attack was not a one-off incident, as security threats across all local councils have significantly increased over the last few years. Between March 2022 and 2023, cyberattacks across the entire Sefton council increased up to 50 per cent. And earlier this year, three neighbouring councils in Kent were targeted by simultaneous breaches, affecting their public-facing systems.
Given such heightened risks, limited resources, and increasing complexity,y the,n a shift in mindset is necessary, moving from reactive measures to proactive, comprehensive defences that anticipate and mitigate potential breaches.
Increasing cyber threats: The challenges faced by local councils
Local councils manage critical functions and store a plethora of personal data, from tax records to personal identifiers, making them attractive targets for cybercriminals. These data points are highly sensitive, increasing the potential for significant consequences if breached. Cyberattacks on such entities do not just lead to data loss but can erode public trust and disrupt essential services, which often have far-reaching impacts on community operations.
The inherent vulnerabilities of local council networks are largely driven by their continued reliance on outdated IT systems and end-of-life software that are not equipped to handle modern cyber threats. These systems are frequently patched together over many years, which introduces complexities in maintenance and security upgrades.
Most concerningly, many councils operate under tight budget constraints, limiting their ability to invest in the latest cybersecurity technologies or even maintain adequate staffing for their IT security teams. A recent survey from the Public Technology Institute shows that only 23 per centof the councils are ‘very engaged’ in cybersecurity initiatives. And while 55 per cent of the councils increased their cybersecurity spending in 2023, 7 per cent actually reduced their budgets.
Councils’ increasing reliance on third-party vendors for services ranging from data processing to infrastructure management, further compounds these security challenges. These partnerships can introduce risks if the third party’s security measures are weak, as seen in various incidents where breaches at a vendor level led to data compromises within councils. For instance, last year, Colchester City Council saw over 7,000 of its user data compromised through a breach on its third-party contractor, Capita.
At the same time, local councils are digitalising their services, adopting cloud-based solutions to improve accessibility. However, this increased digitalisation introduces more unique risks and vulnerabilities.
The shift towards cloud migration and its implications
The increased migration to the cloud disperses data across multiple platforms and services, often outside the direct control of the council’s IT department. This dispersion complicates data governance and also expands the potential attack surface. Each integration point and service provider can potentially be a new vulnerability unless adequately secured.
Threat actors are quick to exploit these vulnerabilities. They use sophisticated techniques to attack weak points in the cloud infrastructure, such as misconfigured storage buckets or inadequate access controls, which can lead to significant data breaches. The implications of such breaches are severe, ranging from financial penalties for data protection failures to the loss of public confidence in government services.
The increasing reliance on cloud services necessitates a re-evaluation of traditional security practices. Security models that focus solely on perimeter defence are becoming obsolete as data flows more freely across environments that the council does not physically control. This situation demands that security measures be more dynamic and adaptable to the changing landscape, focusing on data-centric and user-centric approaches.
The imperative of a Zero Trust approach
Adopting a Zero Trust security framework is becoming a necessity to effectively counter the sophisticated cyber threats facing local councils. Zero Trust operates on the principle of “never trust, always verify,” a significant shift from traditional security models that assumed everything inside the network could be trusted.
The core principle of Zero Trust lies in treating every access request as if it originates from an open network, regardless of the user’s location or the network used. This means that both external and internal requests are subject to strict verification before granting access to any data or services. Implementing this model involves a comprehensive reconfiguration of network and data access strategies to ensure that they are robust enough to manage the sophisticated threat landscape.
One of the critical components of a Zero Trust architecture is Zero Trust Segmentation (ZTS). This technology divides the network into smaller, manageable segments, each operating under its own strict access controls. For example, ZTS can be likened to a series of secure, locked doors within a bank. Just as a bank might have separate vaults for different types of assets, with each vault requiring unique access credentials, ZTS divides a network into distinct zones or segments. Each segment is secured and controlled independently, ensuring that even if threat actors breach one segment, they cannot move freely to others.
It’s an approach that limits the movement of a potential intruder within the network, effectively containing any breach to a small segment and significantly reducing the overall impact on the council’s operations.
Most importantly, ZTS can provide tangible financial benefits for councils. A 2023 commissioned Forrester Consulting Total Economic Impact™ study of Illumio ZTS showed that Zero Trust Segmentation solutions reduced the blast radius of a cyberattack by up to 66 per cent, saving organisations up to $3.8 million in downtime over three years. It also reduced the operational efforts of security teams by 90 per cent. Such ROI can be crucial for local councils who are already stretched on budgets and technical resources.
Adopting a Zero Trust strategy also emphasises continuous monitoring and validation of all devices and users within the network, enhancing the ability to detect and respond to threats in real-time. This ongoing evaluation is supported by advanced analytics and artificial intelligence to identify unusual patterns that may indicate a breach.
Overall, by embracing Zero Trust, and specifically Zero Trust Segmentation, local councils can more easily protect themselves against significant data breaches and ensure they are resilient enough to recover quickly should an attack occur. This proactive stance is critical in maintaining the integrity of their services and the trust of their communities.
This piece was written and provided by Trevor Dearing, Director of Critical Infrastructure at Illumio
