Local government agencies are firmly in cybercriminals’ sights. Between June 2016 and June 2017, almost nine out of ten (87 per cent) local authorities in the UK experienced a phishing incident. More than three quarters (76 per cent) had a malware or virus infection. Exactly 50 per cent suffered a ransomware attack.
The findings come from an iGov survey of 38 local government organisations, ranging from hospitals to local councils and even police constabularies. Respondents held a variety of organisational and technical roles, such as chief operating officer and head of ICT strategy. Malwarebytes sponsored the research and has made the report available on its website.
The survey asked respondents to rate the biggest risks to their organisations. Malicious threats ranked highest. Next was lack of awareness or insufficient education for users about the nature of threats. Many people said the need to patch legacy systems and software was a serious risk. Picking up on this point, the report commentary said: “legacy systems and solutions are still, for many organisations, having a negative impact on managing cyber risk”.
Asked about the biggest concerns from a possible security breach, losing sensitive data and suffering financial repercussions ranked equally. More than half of the local government organisations (53 per cent) gave this answer to both scenarios. Three out of ten agencies were most worried that a cyberattack could seriously affect their ability to deliver services.
Just 5 per cent were confident they have technology in place to identify and remove suspicious traffic on their network. By contrast, more than one in four (28 per cent) are not confident their technical defences could cope.
The report authors suggested that the risks facing local government will continue. They cited increasing sophistication of attacks and growing complexity of the security landscape as the reasons for this.
Although the Malwarebytes survey only covers the UK, there is a growing body of security incidents involving local authorities and State agencies in Ireland. Last December, Meath County Council was scammed out of €4.3 million via email fraud, although the money was subsequently recovered. When An Garda Siochána suffered an IT systems outage in August 2016, experts said the likely cause was a ransomware infection. Many parts of the Health Service Executive went into lockdown earlier this year when the WannaCry ransomware strain began spreading.
For any local authority or county council looking to gauge its current security readiness, an external security assessment can be a valuable exercise that identifies possible gaps, along with areas for improvement.