Staff worked into the evening and Saturday morning to monitor the impact, carry out tests and brief key people. We were ready to act, and had a plan. That did not happen by chance. It reflects the anxiety we have about cybersecurity.
My council recognised cybercrime was emerging as one of the top risks for our organisation, so last summer, despite so many other competing priorities and demands, we began to develop a dedicated cybersecurity plan.
We sent a dummy ransomware message to 1,500 staff, asking them to enter login and password details – and 17% did so.
We identified a lead champion for cybersecurity, a talented and enthusiastic officer who was given a clear mandate from our senior team to promote awareness, ask difficult questions and highlight parts of the organisation most at risk in terms of culture and practice. She commissioned external tests of our resilience to cyberattack, presented an analysis to our leadership team, assessed the effectiveness of our application of patches to respond to system issues, trained our staff, and developed an emergency response plan. This process highlighted the scale of the issue, making it clear that within the previous nine months we had experienced 289,000 viral attacks to our systems.
Most importantly, we tested our resilience to assess how the workforce would respond to a cyber threat. Our ICT team sent a dummy message to 1,500 staff, involving various stages including finally asking staff to enter login and password details. The results were sobering. We had the expected surge in calls to the helpdesk, and many spotted clues raising doubts on authenticity, but many didn’t, with 17% of staff going through stages which would have enabled a ransomware attack to succeed.
This shows us there is still more we need to do. If you haven’t done something similar, I would strongly recommend it. Assessing your organisation’s current risk in terms of people and systems is the first thing I would undertake. Second, develop a response plan, and be prepared to test it. Any investment is difficult in the present financial environment, but this should be set against the huge financial costs and reputational costs in the event of system failure. And of course, cybersecurity should be built into contractual arrangements with all suppliers.
Despite all the concerted efforts to tackle cyberattack, we never think it cannot happen here. According to a guide on local cyber resilience published by the Department for Communities and Local Government in March 2015, on average, it is estimated that 33,000 malicious e-mails are blocked from accessing public sector systems every month. It is similar to protecting a house from burglary: we can lock the doors and windows, get CCTV, and invest in ever more sophisticated systems, but the combination of human fallibility and a determined assailant can break through this.
The local government sector needs persistence and determination to tackle cybercrime, as I know well from my role as deputy spokesperson for civil resilience and community safety for the Society of Local Authority Chief Executives and Senior Managers (Solace). Solace recognises the importance of raising awareness of this issue and we have taken part in ongoing discussions about with colleagues at the Department for Communities and Local Government (DCLG), the Local Government Association (LGA) and other sector bodies and partners about how to take this agenda forward, and following last week’s incident, Solace has been working together with LGA and DCLG on coordinating the local government response.
Going forward, it is important to recognise that councils’ relationship with technology will be a defining element of public services in the future, and threats to our systems ever present. We need to be as ready as possible.
The original version of this article was published on The Guardian’s Public Leaders Network on Monday 15th May. It can be found here: https://www.theguardian.com/public-leaders-network/2017/may/15/nhs-cyberattack-protected-council-cybersecurity
Please see below some resources that might be useful
NCSC Statement on last week’s cyber-attack
Advice on how to deal with the ‘WannaCry’ malware
NCSC advice on patching systems
NCSC latest information
How to report an incident
Open source write up of the situation from Microsoft
A patch for XP from Microsoft
Link to Resilience Direct