Data breaches are an increasingly prevalent threat. Cyberattacks plague the business world. Government organisations and local authorities are constantly under attack and whilst news of these breaches can be eclipsed in today’s business-driven world, the impact on UK local authorities and their operations is staggering.
Local councils in the UK have had over 33,000 data breaches since 2017. In all cases, citizens were denied access to vital services, placing increased strain on the workload and budgets of local authorities. The authorities also had to deliver pay-outs to end-clients as part of the damages.
In the News: A report last year by Redscan, estimated that Local Authorities reported 700 data breaches to the Information Commissioner’s Office (ICO) in 2020 and at least 10 councils had their operations disrupted due to a breach or ransomware. A single council reported 29 data breaches to the ICO in 2020.
One of the most high-profile of these was a ransomware attack on Hackney Council, which forced critical services to be shut down for several weeks. Redcar & Cleveland Borough Council also suffered a cyberattack, leading to over 135,000 residents being unable to access critical services.
Incidents like these demonstrate that whenever an organisation has valuable data, cybercriminals will attempt to steal it, regardless of the human impact. With more council employees working remotely, and city and town centres becoming increasingly connected, the cyber security challenges facing councils are only set to grow in the future.
In October 2020, when attackers published data from Hackney Council and denied residents access to services, the data breach ultimately cost the council over £10 million.
How is the Data of Local UK Authorities Breached?
There are many ways in which data breaches can occur. The most common ones include ransomware, password guessing, recording of keystrokes, malware or DDoS (Distributed Denial-of-Service) attacks. However, the chief threat vector for data breaches amongst local authorities is phishing and other password-based attacks.
Additional Challenges for Local UK Authorities
Central and local government organisations are undergoing rapid digital transformation and moving public services online. The requirement to protect personal and sensitive data relating to staff, service users, and citizens are becoming increasingly challenging. The risks introduced by this shift towards cloud-based services are compounded by the need for remote/flexible working driving the necessity for resilient and, more importantly, secure IT systems.
With malicious attempts to gain access to secure digital environments becoming more sophisticated, the potential damage also increases. And this risk is further exacerbated by the human factor, which limits what people can reasonably be expected to do to uphold the organisation's security.
Consequences of Failure to Overcome these Challenges
The potential consequences of these risks include:
- Data Protection breach and consequent Information Commissioner’s Office (ICO) sanction
- Damages claims
- Reputational Damage
- Potential significant business interruption if systems require shutdown until the magnitude of the issue is investigated
- Loss or corruption of data
- Loss of critical systems potentially impacts the ability to deliver statutory services.
- Partners unable to discharge their duties
- Service user complaints
For more information about local UK Authorities' challenges, including but not limited to data breaches, please view the UK Public Sector and Local Authority Identity Overview Report.
Passwords are the Problem
In the case of phishing attacks, passwords are the common factor that empowers hackers to compromise employee accounts. With phishing attacks becoming increasingly sophisticated and realistic, it can be difficult for end users to differentiate a threat, even with training.
Brute-forcing passwords is another common attack vector. Modern computing technology is powerful and inexpensive. Where a hacker could take days or weeks to brute force an employee's password a few years ago, they can do it now in hours or minutes and, with the migration of local authority and citizen data to the cloud, there is a treasure trove of high-value data attracting malicious actors.
Password fatigue is a term that refers to the poor user experience of having too many passwords to remember. Disgruntled employees resort to reusing passwords or saving their passwords in computer files or mobile devices. They might even write them down on paper. Such activity poses an obvious security risk.
So how can local authorities balance the competing demands of assuring uninterrupted services for citizens, with limited funds whilst delivering digital transformation that doesn’t create additional security risks?
Here’s how Identity and Access Management (IAM) can address these challenges:
- Deploying an Enterprise Password Management solution that can be used to define and automatically enforce password policies on 3rd party cloud apps will significantly mitigate any risk of brute force attacks by ensuring long, random, unique complex passwords are being used as your local authority transitions services to the cloud.
- Combining this with Single Sign-On (SSO) capability that allows these newly created passwords to be hidden from users and automatically authenticates the user with their apps, means that users no longer know or manage the passwords. If they don’t know the password, it’s impossible for them to be phished.
- Furthermore, where the IAM solution supports integration of Multi-Factor Authentication (MFA), this can be used to create policies that enforce step-up and contextual MFA challenges for specific applications if desired.
Adopting an IAM solution that can operate seamlessly in the background also means that it can be deployed without training – users just launch applications and the IAM or SSO service takes over and automates the authentication process. No training, means no barriers to user adoption, and no barriers to adoption guarantees that maximum benefit and ROI is delivered from the solution.
If you choose an SSO solution that is capable of integrating with legacy Windows desktop applications this can help manage your transition from on-prem and legacy apps to the cloud easing the process of digital transformation.
If you'd like to find out how My1Login can help protect your organisation from the risk of data breaches, Book a Demo today.
