Local authority cyber defences are often a public concern. In October 2017, cloud data intelligence company OnDMARC discovered that of 152 council domains analysed, 84% had not implemented the Government-backed protocol for securing email systems against phishing attacks.
Then there was the global chaos of WannaCry, which shut down 40 NHS hospitals in England and Scotland in an attack that “could’ve been prevented ” had their security been up-to-date. An earlier assessment of 88 out of 236 trusts by NHS Digital found that none passed the required cyber-security standards.
Four months earlier, the Information Commissioner’s Office fined Gloucester City Council a massive £100,000 after a cyber attacker, who claimed to be a member of notorious hacking group Anonymous, accessed council employees’ financial and sensitive personal information.
Cllr Paul Bettison, chairman of the LGA’s Improvement and Innovation Board, says that “protecting data successfully from computer hackers… is a top priority for councils”. However, the LGA is concerned about the lack of funding. Local authorities share an enormous amount of personal and sensitive data and cyber attacks are up to more than 700 a day – it’s an intimidating and expensive challenge for them.
So what should local authority leadership teams be doing now to improve cyber security?
Applying GDPR to local authorities for cyber resilience
Cyber resilience is all about protecting data, and the new General Data Protection Regulations (GDPR) aim to do just that. It was set up to give individuals more control over their data and to improve personal data security in today’s quickly advancing digital world.
Here are six tips to help you gear up for GDPR compliance.
- Make sure you have an Information Asset Register .
- Use Data Protection Impact Assessments (DPIAs) before using new technologies or data processing systems that could potentially put personal data at risk.
- Familiarise yourself with the Local Public Services Data Handling Guidelines .
- Identify all personal data sets. Make sure they each meet the GDPR requirements, and that you can provide evidence of this.
- Make sure all data processors are aware of and prepared for the changes and that you have GDPR compliant contracts in place.
- Be prepared to demonstrate that you have taken reasonable steps to avoid a data breach, including introducing relevant policies and staff training .
What your local authority leadership team must do
Chief executives
- Set overall expectations on institutional risk appetite . For example, specify the levels of security required and any compromises that may have to be made.
- Reinforce behavioural changes in the senior management team. Advise them, for example, on how to handle sensitive material.
- Make appropriate funding available for GDPR and cyber security.
Business unit operating executives
- Incorporate cyber security considerations into services, customer and location decisions.
- Communicate the need for behavioural change.
- Make sure your BU operating executives understand how to prioritise risk and have a formally articulated risk appetite in play.
You will also need a GDPR project plan, so that if you are unfortunate enough to be pulled up by the Information Commissioner, you can prove that you are working on compliance.
Service executives (eg finance, HR etc)
- Synchronise your cybersecurity strategy with corporate policies. For example:
- Induction packs should share your GDPR/cybersecurity policies
- Permissions: if people move role and no longer require access, take it away. This helps prevent malicious attack from a disgruntled employee, for example. Make sure you log who has access to what and why.
- Integrate cybersecurity into your quality and compliance programmes.
- Incorporate cybersecurity into your regulatory and public affairs agenda. For example, in case of a data breach, make sure your execs are trained on incident management and how to communicate to the general and social media. This should help them manage reputational damage, which can become an especially sensitive issue in the run up to an election, for example.
Chief Risk Officer
- Make sure your enterprise risk methodology accommodates cybersecurity risks
- Incorporate your prioritised cybersecurity risks into your enterprise risk report
Chief Information Officers
Note first that from a GDPR, business continuity and cyber resilience viewpoint, your IT team is only responsible for service provision. The data, the information and the process belong to the business owners, not IT.
- Make sure your cybersecurity programme supports your risk appetite, and that the business strategy is in place and on plan.
- Drive changes across IT.
- Engage effectively with the Board.
Data Protection Officer (DPO)
- Your DPO must report directly to the highest management level in the organisation.
- Cannot be instructed on how to do their data protection work or be disciplined for doing it.
- Must be fully qualified.
If you need help with GDPR, Me Learning has developed a series of courses aimed at local authorities. To find out more or to sign up for the next webinar, click here .