Dave Richardson MBCS, ICT and Digital Services Business Manager at Newark and Sherwood District Council, explains how local authorities can lead by example in tackling the information security challenge.
Local government has not always been known for being revolutionary. This is largely due to a mixed public perception of what they ought to prioritise: there’s health and social care, environmental issues, economic growth, tackling anti-social behaviour, improving lives and social housing… the list goes on. Throw in the cost-of-living crisis while balancing the public purse, and it can become especially challenging — even more so with each local authority (LA) providing a differing range of services and having different ‘businesses’ all under one roof.
However, LAs do have a major advantage over other sectors: they form strong communities, networks and partnerships that are all working towards a common goal. These networks and partnerships are hugely valuable when it comes to information security, with many regions across the UK having well established Warning, Advice and Reporting Points (WARPs) and Cyber Technical Advisory Groups (CTAGs).
The digital world is constantly evolving, with mass digital transformations and hundreds of new cyber vulnerabilities each day, so the information security challenge may seem like a thankless task — especially when you consider that at any moment one wrong click could ruin all the best laid plans.
The way Newark and Sherwood District Council has approached this is transformational: from having an audit report with room for improvement back in 2018, it is now piloting a brand new Cyber360 programme with the Local Government Association (LGA) in order to provide value to its community.
Finding the catalyst, like Newark and Sherwood District Council’s audit, to start your information security transformation programme should be the easy part; acknowledging failings is the hard part.
Starting your journey
In order to get senior management and stakeholders invested, it is important to strategise and define a goal immediately. In some instances, this doesn’t happen, leaving the project feeling directionless — but small steps at the beginning can make a big difference at the end.
Horizon scanning, visioning and whiteboarding sessions can help you identify your goal. Alternatively, look to your peers: what are their strategies and plans? Can you reach out to your network, or examine a central strategy for your industry? Can you utilise elements from a range of sources to your benefit? You can also utilise third parties to your advantage — know that this doesn’t necessarily mean additional expense.
Thread your findings in with your existing company strategies and plans, focusing especially on the overall business, digital and IT strategy. Once you have consolidated the strategic vision, you will be in a better position to own the situation and establish the current base and starting point.
Quick wins can be achieved by benchmarking with peers and leaders in your industry, as well as through reviewing internal and external audits, previous health checks, the whole estate’s assets and vulnerability scans and any near misses or breaches within your industry. Free and open material such as government information is also an important resource.
To maintain a cyber security conscious culture in the longer term, it’s important to communicate frequently with your teams, business and stakeholders on information security, as well as conduct continual assurance and checks. It’s also important to invest in staff and training, and sense check and GAP analyse existing frameworks (for local authorities, this could mean frameworks ISO27001, Cyber Essentials, PCI-DSS, PSN or CAF).
Reporting the vision
After presenting the report and strategy to Newark and Sherwood District Council, a member of the board fed back that it is common sense. It may appear that way – but it’s the feedback and engagement incorporated into the strategy that will change the culture.
Organisations must include metrics and performance objectives as outcomes and success factors in their strategy or plan. These could be as simple as ascertaining that a 5% click rate on phishing simulations is good, or that achieving 95% removal and 5% mitigation of critical vulnerabilities within 14 days is a positive step. Creating such a culture of learning rather than blame can improve the security posture of your company and set an example to other industries.
Maintaining senior management’s interest in cyber security initiatives can be achieved with a carrot and stick approach. The stick comes in the form of reminding them that security is the responsibility of the Board; reframing the issue as simply ‘security’ rather than ‘cyber security’ (which suggests an IT concern) is a good reminder that the buck stops with them.
Reports on progress against the ongoing strategy can be a great carrot, and are especially useful to senior management when they are threaded back through existing business plans and clarify how sector specific threats are being combatted; outlines of the potential savings in financial or reputational costs of a data breach or other cyber attack are a great incentive.
Leading by example
Often, we hear of software companies taking security lightly. Yet we acknowledge that the supply chain is becoming an even bigger risk as we migrate more services to the Cloud and other services and platforms with their own unknown supply chains.
We tend to respond to this lack of certainty by using various frameworks and supplier management tools which impress security cultures onto others. This practice has been acknowledged within the Cyber Essentials scheme, which posits that Multi Factor Authentication (MFA) should be provided on all Cloud Services and that compliance to cyber essentials is not a risk-based approach, regardless of whether the supply chain is ready for this change.
Be part of something bigger, join BCS, The Chartered Institute for IT.
This direction is refreshing as once we have these basics right and our own house in order, we can influence others, and it is only then that we can truly add value for our customers; we are not only making IT good for society through services we are directly responsible for, but encouraging others to do so through outside services.
This value based approach drives wider cultural change, and can encourage local authorities to provide value-added services to businesses and residents. Under the Local Contingencies Act 2004, local authorities have a duty of care to warn and advise the public during times of emergency; they should do more in signposting resources such as the National Cyber Security Centre (NCSC) and ActionFraud, and provide information on best practice in helping the UK stay protected in CyberSpace. They should also invest further in narrowing the digital divide, as those that will be left behind may require additional support when it comes to online security.
Talking openly and honestly about cyber security, knowledge sharing amongst peers and colleagues, and implementing a ‘learning and no blame’ culture should be among the first items on a strategic action plan. A good understanding of your own information security will help improve your security culture, which in turn will influence others. Ultimately, this will help us achieve our biggest aspiration of creating a security conscious world.
Value-added services provided through local authorities will be a vital step in increasing cyber security awareness and fluency, and as we reflect and learn, making use of the apprenticeship levy in information security is hugely beneficial in bridging the skills gap — we should all keep a look out for funding grants, and make use of free services from the NCSC and other sources.
Overall, it is down to us all help to achieve information security transformation.