UK councils must improve cyber health

The UK's Ministry for Housing Communities and Local Government (MHCLG) has proposed the development of a cyber health framework for local councils after uncovering a number of potential shortcomings in their cyber posture.

The Ministry's digital collaboration unit, MHCLG Digital, plans to develop a framework that will act as a series of security standards and guidance that organisations can apply in order to achieve a minimum level of cyber resiliency.

Local authorities will also be able to use the framework to measure where they are against this baseline.

According to the agency, this baseline must encompass culture, leadership and 'cyber first' processes.

The cyber health framework is one of five priority areas identified as key areas of focus during consultations with stakeholders and local authorities.

Other priorities include working with local councils to formalise the role of the decision-maker for cybersecurity at the executive level, developing training and support programs for staff that fosters cyber responsible attitudes and behaviours, and establishing a professional network of cybersecurity professionals from local authorities to share threat information.

Finally, the agency will provide support to councils to address a shortcoming identified during its initial research into how to help local authorities reduce the incidence and impact of cyber attacks, and support sustainable cyber health.

This shortcoming involves local authorities' susceptibility to malware — particularly ransomware — with a number of local authorities having been targeted in recent attacks.

MHCLG Digital said it is currently submitting bids to secure funding for pursuing these aims.

The review also found that there is no consistent understanding of what cybersecurity entails among local authorities, including over what constitutes a breach. Awareness of cyber risks can also vary significantly within a local authority, with non-IT council staff often unaware of their responsibilities in contributing to cyber health.

Meanwhile, analysis of cybersecurity risk is inconsistently completed when procuring non-IT and IT service, and councils have failed to take advantage of the economies of scale that could be achieved through joint procurement of IT and cybersecurity contracts, MHCLG Digital said.

Other potential barriers to achieving greater cyber health include a lack of leadership support for undertaking the work necessary to embed standards and best practices across the organisation, and an over-reliance on inherently less secure legacy technology.

Image credit: ©stock.adobe.com/au/jamesteohart