CATEGORY: Public SectorSecurity

Cyber-attack learnings for Local Government

In January the Government announced that local authorities will receive £37.8m to boost their cyber resilience.

The funding has been announced as part of the Government's first ever Cyber Security Strategy to make public services more resilient against hostile cyber-attacks.

The plan includes the creation of a new Cyber Coordination Centre to help transform how data and cyber intelligence is shared across the public sector.

Figures show the National Cyber Security Centre dealt with 777 incidents between September 2020 and August 2021, with around 40% aimed at the public sector.

Chancellor of the Duchy of Lancaster, Steve Barclay, said: 'The cyber threat is clear and growing. But government is acting - investing over £2bn in cyber, retiring legacy IT systems and stepping up our skills and coordination.'

The impact of cyber-crime is more than just financial

A new report has revealed that a ransomware attack in February cost Redcar and Cleveland Borough Council more than £10m.

The report states: 'In terms of our response to the cyber-attack, the council acted quickly and effectively, working extremely hard to mitigate the effects on our key services and most vulnerable residents.

'However, the attack did permeate almost all functions of the council, and the required response and consequential impacts will have a bearing on the council’s finances.'

 

Real world learnings

What can be learnt from the personal and organisational experiences gained from living through an attack of this nature?

It is all too often that response and continuity planning to situations like this are lacking – but not through lack of thought, the academic exercise is often highly detailed and on paper would appear very effective – but other factors have a significant impact when this is real world experience which can be overlooked in a logical and systematic exercise.

Many plans underestimate the impact of the human element in the situation, the extraneous pressures from media and external interested parties that can bring additional pressure to an already volatile and challenging situation.

We spoke to Jez Rogers, Cyber security advisor and part of the South East Organised Crime Unit (SEROCU) about the learnings direct from an affected organisation, to hear his, and their, advice on how to best prepare for if the worst should happen.

 We have created also created downloadable checklist to help you get put your response plans together.

 

Video Transcript

OK right we're going to talk about a local government incident now.

 

We've had a full debrief from this local council, but the moment it is still restricted and so I cannot talk about who they are and I'm not going to go into the full detail, but regardless of that, I pulled out some key points that this Council were brave enough to share.

 

It's a high level look at it, but these are elements that you need to consider regardless of the size of your organisation.

 

So, what was the scenario? Very basic and very, very common. It was an out of hours ransomware attack which is encrypted around 95% of the local authority data. Personal shared drives together with work devices were unusable. It happened over a weekend.

IT did pick it up.

However, regardless of what they tried to do, by the time everybody came into work on Monday morning, they had nothing.

And I mean nothing.

They entered a world of pain as a local authority. All the services that they’re clearly responsible for, they could not deliver in the way that they had been.

 

So, what points do you need to consider?

And I've taken these in the order that these key learning points have been presented in their debrief, which I think works well.

 

So immediate considerations for a senior leadership team being involved in this.

This is all part of planning and you need to have a plan and however good you think your plan is.

The advice from this local authority is it isn't. Go back and have another look at it.

• Do you have a travel out of hours arrangements?

And think about that across your all of your capabilities. It's not just IT.

• What can you do out of hours if you need to? Because criminals unfortunately are quite good at this. As much as I hate giving them any credibility, they won’t attack you on a Tuesday morning. It will be over the weekend.

• How will you communicate with your partners in an attack, and during that attack?

• How do you communicate?

• What are your methods of communication?

• Where's all that information stored?

• Do you have easy access to records for your key system, services and office locations?

• What backups do you have?

• Now with your plan one, do you have it? But do you regularly discuss it.

• Cyber security needs to be an individual element of your risk register? It can't just be bolted together with some other stuff. This is massive.

 

Some key learnings in cyber incident planning:

Do IT leads and business continuity planners in your organisation work together to prepare for these eventualities?

I mean really work together.

 

IT don't own this risk at all. They are the technical strategic advisors.

 

This needs to be owned an appropriate level.

• So, who owns business continuity?

• Do they sit with IT and make sure they understand each other and what each other is going to do and what it means to each other?

• What are you doing to educate yourself and your staff about cyber risks and impacts?

• What is the staff awareness training you're doing? What about senior leadership training?

 

There are lots of options out there. Law enforcement provides an awful lot support to local government. And it doesn't cost anything. And there are other options.

 

But if we're asking for your staff to be aware, you need to teach them. If we're asking for you as senior leaders to be aware, you need to organise that and teach yourselves, you need to understand this. You don't need to become a technical expert, you just need to understand the basics so that you've got a grasp of it.

 

When the worst happens, what are the expectations of your IT department?

Are they reasonable, (whether it's internal or external) you're going to be relying on them an awful lot.

 

And you might have to take some of the pressure off:

• So, what resilience have you got?

• Do you have safely stored copies of plans and key documents?

• Because if it's all online, you've now lost it. Where is your battle box?

• What do you have if the worst happens, what can you access?

 

The next set of considerations comes under coordination and leadership.

• Who would form your cyber incident management team? You need to sit and think about that, because you're going to be asking people to do things they probably never done before.

• And the pressure is on now because you've got access to nothing, you are not delivering the services for which the public expect.

 

This needs to be as slick as possible, and it's not going to be slick. It's going to be ugly.

• But who would form your incident management plan and why?

• How will you prioritise your actions? - There's going to be an awful lot going on, and an awful lot going wrong. You need to understand what your priorities are.

• How will you communicate your priorities through your organisation and beyond? Because all your traditional methods of communication are gone.

• What are you going to do?

 

And how will you maintain the confidence and trust of your staff?

Again, you're going to be asking them to do some really strange stuff, perhaps work some extended hours, come up with work arounds for all the systems they can't access. And also don't forget as well as all your client data or your customer data you've lost - You've lost their data as well. HR pension payroll.

So they could be worrying about their own cybersecurity. How could that information be used against them? They need to have confidence in you.

And we extend that.

• What is the human impact of this?

• How will you bring in additional support and expertise?

• Who will that be?

• Is it an external incident response team?

• If there is a cost implication, do you have arrangements with other organisations that perhaps you could swap staff – possibly something to consider?

• Now everybody is going to be nose to the grindstone. So how will you make sure everyone, including you as leaders, have some time off?

 

Yeah, this is going to go on for a long time. People need to have rest and it might need to be enforced because everybody is going to want to solve it. This could go on for weeks or months or as we're going to hear at the end of this years.

• What wellbeing and staff support will be in place?

• What is in place now?

• What can you increase?

• It is your staff that are going to get you going again. You need to look after them.

• What can you do to minimise the impact on staff if and when this happens?

 

Communication and reporting.

Communication in the art of everything, isn't it? The answer to most things.

 

Do you have a communications and media plan for a ransomware attack?

It's horrible and we all see those nonsense messages that come out in the press from organisations that have been subject of a ransomware attack. Or we take your data really important. We take the security of your data really importantly, well, clearly you don't, 'cause you've lost it or the other one is. Don't worry, we haven't lost your credit card data or we've lost is your name, date of birth and address? Yeah, thanks very much. My credit card I can change.

My name, date of birth and address I can't.

 

Think about what you're comms policy is going to be, what your media strategy is going to look like. Think about it now, you’ll probably need to change it, because it won't be completely fit for purpose. But don't start making it up when it's happened. Have some templates ready to go.

• How will citizens contact you?

• How will you get news out to all of the people you offer services to think about it? Have that plan.

• What about partners? They'll now be concerned about you as part of their supply chain.

• How are you going to communicate with them?

• What safe systems have you got in place so that you can make contact with third parties that are important to you and they are convinced it's you? And that this isn't just an extension of the cyber- attack by the criminals pretending they are you.

• Think about your supply chain, how you support each other.

• What reporting and briefing templates could you prepare in in in advance? Again, it's all about planning. This is no point in being sat there when this is happening and having to start from scratch, at least have something to refer to and evolve.

 

Now finally, I'm going to directly quote the CEO of this local authority because I think the points that they make a really, really pertinent.

“At first, we didn't truly understand the impact and nature of the attack, how it wiped us out, or what it actually means to an organisation to lose everything. Including website telephones, printing laptops and databases. I asked myself, how do you? How do you in the modern age deliver a service if you've lost all of that?”

 

The next quote.

“The risks to service delivery. The toll on staff, the media pressure and the financial costs. The impacts across the organisation work huge over a year later. We still consider ourselves to be in some form of recovery”

 and his final quote was

“Council Culture needs to change. The conversation needs to be had.”