Figures gathered by insurance broker Gallagher through the Freedom of Information (FoI) Act have shown that UK local authorities were hit by an average of 800 cyber-attacks every hour in the first six months of this year.
Problem could be bigger than figures show
The figures, which were based on the 203 (out of 408) local authorities that responded, showed there were more than 263 million incidents in the first six months of 2019. This could mean that even though 76 local authorities reported a cyber-attack between January and June 2019, the fact that only half of UK local authorities responded to the FoI request could mean the problem may be proportionately much worse than even these figures show.
What kind of attacks?
Gallagher’s collected information shows that since the beginning of 2017, 17 of the attacks reported by respondents related to loss of data or money, with an average cost to the victim of around £430,000. Gallagher’s figures also show that only 13% of councils have a standalone cyber insurance policy, meaning that most councils are risking potentially heavy fines under GDPR for any breaches.
Why a target?
Local authorities and other public sector organisations are attractive targets to cyber-criminals because they hold large quantities of personal data and, perhaps due to a lack of funding and/or getting the most out of IT spending, they may be running older, less secure systems. Also, they have a large number of employees who may lack education about an training in data and cyber-security.
Education a target
Universities, colleges and schools are also targets for cyber-criminals because they tend to have large numbers of users spread across many different departments, different facilities and faculties, and data is moved between these, thereby making admin and IT security very complicated. Also, universities have a lot of valuable intellectual property as well as student and staff personal data within their systems which are tempting targets for hackers.
Back in July, for example, Lancaster University, which offers a GCHQ accredited cyber-security course and has its own Cyber Security Research Centre was hit by a phishing attack, resulting in the leak of the personal data of new university applicants. Also, in 2018, The Information Commissioner (ICO) fined the University of Greenwich £120,000 for a data breach that left the personal details of thousands of students exposed online.
A National Cyber Security Centre report recently revealed that the UK’s universities lost almost £150m from cyber-attacks in the first six months of 2018 alone.
Lost mobile devices
Lost mobile devices, many of which may provide access to cloud-based data, are also known to be a problem for government bodies. For example, an FoI request in July by MobileIron found that government staff had lost 508 mobile and laptop devices between January and April 2019.
What does this mean for your business?
These figures make worrying reading, especially at a time when council budgets are very limited. Local authorities are already facing serious decisions about what to prioritise in terms of investment, but GDPR and a duty to protect the privacy and security of local authority customers and staff should mean that data security is kept high up the agenda. Part of maximising the value of investments in data security for local authorities should include ensuring that training and software are put in place to enable a more proactive approach to attack prevention and that staff are educated about threats, and how to spot (and what to do with) suspicious communications by email, social media or other means.
Gallagher’s figures may also serve as a reminder to local authorities that it may be a good idea to make sure, in the light of the sheer number of threats (only one of which needs to get through), that they have a good cyber insurance policy in place.