Public Services disparity in cyber defence budgets

The cyber security challenge for Local Government Organisations

According to a recent ITV News investigation there is an enormous disparity in security spend across public service organisations, leading to hundreds of website vulnerabilities, email addresses and passwords of staff being posted online.  As the country rely on these services to enable Britain to run smoothly and effectively on a day-to-day basis, it is important to provide as much guidance and support as possible to remove the gaps that currently exist.

In the investigation it was found that one council in Britain spends just £32,000 a year on cyber security, whilst another council with a much smaller population has an annual budget of £1,000,000.

There will always be huge demand on councils to ensure they are spending effectively, and the recent pandemic has accelerated the need for digital innovations within local authorities. This accelerated transformation may have introduced new unknown vulnerabilities across the key security pillars of Process, People and Technology and with the ever-increasing sophistication of cyber threats, and the rise in geo-political tensions, the risk of a cyber incident is now greater than ever.

It is worth pointing out that protecting a local authority or, indeed, any organisation does not have to be prohibitively expensive. The most cost-effective and in fact the more reliable approach is to work with a Managed Service Provider, which specialises in managing cyber security for many different organisations in many locations, globally. By doing so not only removes the complexities associated with evaluating and deciding which are the best security tools s to invest in, but negates the larger and current major challenge of identifying, recruiting AND retaining the appropriately skilled cyber security team needed to operate those shiny new cyber security tools.  Owning the Formula 1 car is one thing, but if you don’t have an elite driver or team of engineers to operate it, you are unlikely to win many races. And Cyber Security, is to all intents and purposes the same. It’s a race to detect and respond to that suspicious activity 24*7 before the potential attacker has time to cause severe damage and impact to the target authority.   

The Local Government Authority (The LGA), a national membership body for local authorities, have created a Cyber 360 Framework which mirrors the view that a company-wide approach is needed as opposed to limiting to IT focused principles, again looking at some of the key security pillars around people, culture and processes.

The framework itself focuses on 14 key areas:

1. Leadership & governance – noting that effective leadership is key to improving cyber security posture but also in conjunction with effective governance to prove and demonstrate the relevant policies and processes
2. Risk Management – understanding the risk landscape and knowing how it is managed within the local authority enables much more informed decisions with regards to cyber security
3. Asset Management – having a clear view on all the assets and the vulnerabilities that may exist which could affect essential services, and being able to identify, manage and mitigate those risks that could impact essential services.
4. Supply Chain – managing cyber security risks throughout external supply chain to ensure correct practises and processes exist to minimise the impact to the local authority themselves
5. Service protection policies and processes – effective policies and processes to securing systems and data for essential functions and services
6. Identity & Access Control – having appropriate methods to authenticate and authorise users and devices to reduce the risk of threat actors gaining unauthorised access
7. Data Security – ensure effective data security exists to protect from unauthorised access
8. System Security – controls to protect the security of networks, technology, and systems for essential services
9. Resilient Network & Systems – Resilience is key to defending and protecting from cyber-attacks in order to maintain the operation of essential services
10. People Management – Promote a culture of continued learning and improvement across the entire organisation to make people the strongest form of defence
11. Security Monitoring – ensure the council can detect and prevent any security event and have the people to respond and assist with investigations
12. Proactive Security Event Discovery – be able to discover malicious activity before it has an effect on the operation of essential services
13. Response & Recovery Planning – ensure an effective incident management team is in place with correct plans in place to respond accordingly to help mitigate the impact of a cyber-attack.
14. Lessons Learned – perform response test exercise in order to continually learn and improve

Considering the sheer number of areas that need focus, it is no wonder why implementing cyber defences and increasing cyber resilience is deemed as an expensive solution. Tie this in with the increasingly stringent demands of partners and third parties such as cyber insurance providers, it is difficult to know where to start.

Norm. recommends that, in the first instance, Authorities should prioritise the following six steps:

1. Understand your current cyber security posture – assessments available like our very own Cyber Readiness Tool will provide a simple and FREE evaluation of your current security posture so you can easily identify if you have any gaps.
2. Get Stakeholder Buy-in – by understanding your current posture it will enable you to present the findings to help you obtain stakeholder buy-in to improve the current position
3. Leverage current investments – if you have invested in cyber security technologies and software then how can you enable best practice management?  Outsourcing the management of your investments may be the best and most cost-effective way to allow your internal teams to focus on core business objectives
4. Embed basic controls throughout – understand your vulnerabilities, secure your endpoints, implement multi factor authentication as a minimum to ensure you have a basic level of cyber hygiene in place across the Authority. Your earlier assessment would identify those controls that should be in place.
5. Increase awareness throughout – 95% of breaches come from human error, staff training and knowledge is key to the strongest first line of defence
6. Regularly review – the cyber threat landscape is always changing, have access to key intelligence across the industry and globally to continually reduce your cyber risk

There is plenty of guidance out there, specifically from the NCSC, which has produced assets such as; Board toolkits, Password strategies, Defending from phishing attacks, Device Security Guidance, Risk Management Guidance, Digital Service Security, Exercise In A Box etc. All these assets are very useful to educate yourself about the cyber risks out there and what measures to implement to mitigate those risks. However, this is only useful to people that have the time and inclination to seek out and read the guidance. Many people, particularly public servants, do not have the spare time to devote the appropriate level of attention to ensure their organisation’s cyber resilience. So, who is going to implement all of this if there are no cyber security specialists within the authority?

On the 25^th January 2022, the first ever Government Cyber Security Strategy was announced to step up the defence and resilience of Britain.  This new strategy has been supported by the investment of £37.8 million to help local authorities boost their cyber resilience. How do you find a cost-effective solution when there is so much noise in the industry?

The leading Managed Security Service Providers, such as norm. work with best of breed global providers such as; Qualys, Fortinet, FireEye, CybSafe, Trellix, and Microsoft to ensure that cost effective solutions are implemented but without sacrificing the benefit gained by having access to the latest and greatest security technologies and tools that are usually only effective for multi-national enterprise organisations that have the resources available to operate them in house.

As discussed earlier Cyber Resilience is viewed in the industry across 3 key pillars which also aligns to the controls expected of insurers and the framework recommendation of The LGA Cyber 360.

These 3 key pillars are:

Process – Do you have the right information security processes and policies in place and how can you tangibly validate that they are effective? The most effective way to do this, and at the same time, demonstrate to the local residents and businesses that their data is being processed securely, is to obtain a recognised information security certification, for example Cyber Essentials or ISO27001

People – Are you regularly training your employees to make them the strongest first line of defence for your organisation and ensuring that they are confident and competent when it comes to cyber protection?

Technology – Have you invested in the technologies that can identify where your vulnerabilities exist at any given moment, can spot an emerging threat within your environment, and have access to the global threat intelligence for any emerging threats that may affect your environment?

And the final piece to resilience is making sure you have the cyber specific skills and capabilities to monitor, manage and respond to all of this 24x7x365.

A managed service like smartbloc. from norm. should include measures that satisfy the above requirements, allowing you to focus on business as usual and ensuring you can deliver the local services required without interruption, while your outsourced provider takes care of your cyber resilience.

In summary the cyber threat landscape is increasing and there is great disparity between the cyber budgets of local authorities. It is difficult for local authorities to keep up with the threats but there is plenty of support offered through the NCSC, the Cyber 360 framework and the Government Cyber Security Strategy. Whilst funding can be accessed, it can be a headache picking out the most appropriate cyber security measures for you. Whilst each local authority is different, leaning on an outsourced cyber security partner will allow you to benefit from cost efficiencies, expert guidance, and the peace of mind that your cyber security is being taken care of. Whether an outsourced solution is for you or not, it is important that your cyber security discussions start today to ensure that Britain’s most important services are protected.

Written by Sean Tilley
Sean is the Sales Director at norm. He brings decades of experience to his role having worked in managed IT sales for 22 years. Sean is responsible for driving new business acquisition and scaling business operations in the UK with particular focus on smartbloc. the fully managed cyber security service from norm.