Solace blog

Cyber security is hitting the headlines on an increasingly frequent basis. The reason is quite simple. More and more business, whether commercial or government, is being moved to digital channels and this is greatly increasing the opportunities and prizes for cybercriminals. In this industry, hacks make headlines as executives at Yahoo and Talk The talk will be only too happy to confirm.

When I have conversations with those in local government tasked with drastically reducing costs whilst maintaining, and even improving, service levels – ‘digital transformation’ is almost always the focus. Local authorities simply cannot deliver the budget reductions being imposed upon them without doing things differently, whether that’s using data analytics to improve the efficiency of refuse collection, or allowing citizens to access more services online.

When I have conversations with those in local government tasked with drastically reducing costs whilst maintaining, and even improving, service levels – ‘digital transformation’ is almost always the focus. Local authorities simply cannot deliver the budget reductions being imposed upon them without doing things differently, whether that’s using data analytics to improve the efficiency of refuse collection, or allowing citizens to access more services online.

There is no doubting the ability of modern digital technologies to benefit councils and their local citizens. However, such transformation isn’t a panacea and it isn’t straightforward. Unless local authorities consider cybersecurity from the outset of designing new digital services, outcomes will always be at risk. Consider an elderly or disabled citizen that has made extra effort to interact with the council digitally, only to then discover their sensitive medical or social care data has been lost or stolen. Such an incident would fracture confidence in online services and likely encourage
a move back to traditional channels, which are no longer sufficiently resourced to cope with the heightened demand.

Unfortunately, I have seen such events unfold over the years. What’s actually required is a thorough assessment from the outset, which identifies the cyber risks inherent in any service as it becomes digital. The local authority needs to understand the various risks and make a judgment about which it is comfortable taking and which it isn’t. Cybersecurity should never be a ‘bolt-on’ or an afterthought, not least because it tends to be significantly more expensive when approached that way.

Similarly, assigning responsibility for cybersecurity to another entity should also be undertaken with a great deal of thought. The ability for councils to host data and to access IT infrastructure from sophisticated cloud providers is another great development. Such an approach reduces costs and improves scalability. However, on occasion, I have come across organisations that consider themselves protected because their data is held by Amazon or Microsoft in the cloud. It’s true such firms are excellent at preventing attacks aimed at their clouds but that’s not the whole picture.

There are still a range of vulnerabilities such as insider threats or access rights which are not, and never will be, the responsibility of the cloud provider. Indeed, training for users of systems in security best practice to prevent data loss is another example. Here again, the council must have a clear view of its compliance obligations.

Such obligations are about to increase too. The General Data Protection Regulation, or ‘GDPR’, is due to come into force in May 2018. This new regulation will see mandatory breach notification and fines as high as 4% of global turnover for organisations that fail to adequately handle and protect sensitive data. Chancellor Philip Hammond recently reaffirmed the UK’s commitment to the GDPR when presenting the UK’s National Cyber Security Strategy in November suggesting any eventual Brexit will not render GDPR redundant. The Information Commissioner’s Office also fined Talk Talk a record £400,000 for its breach last year. Needless-to-say the GDPR is catching the attention of senior management and is helping to foster greater investment in cybersecurity best practice.

Whilst embarking on or accelerating digital change it is of the utmost importance to design new services securely from the outset. Such an approach helps to reduce risk, ensure compliance and ultimately is an enabler for digital service provision. Investment in cybersecurity is often wrongly viewed as a straight cost but particularly in a local government context, I assert it is essential to unlocking the cost efficiencies offered by digital transformation.

www.cgi-group.co.uk/security

By Andrew Rogoyski, UK Head of Cyber Security, CGI