UK councils reported more than 700 data breaches to the Information Commissioner’s Office (ICO) during 2020, according to data disclosed under the Freedom of Information (FoI) act to managed security services provider (MSSP) Redscan.
Redscan received responses from over 60% (265 of 398) of borough, district, unitary and county councils in England, Scotland, Wales and Northern Ireland, and found evidence that cyber security across local government in the UK is, by and large, disjointed and under-resourced, leaving councils in charge of highly valuable personal data while unprepared for cyber incidents.
The report said that with towns and cities becoming more data-driven and interconnected, the possibilities for disruption arising from cyber incidents would only increase in 2021, so to minimise future risk, councils should be doing more to continually evaluate their security posture and controls to keep pace.
Redscan CTO Mark Nicholls said: “There is significant room for councils to improve their readiness to tackle current cyber risks, as well as those that will emerge in the future as cities become smarter and more connected.
“Every council has thousands of citizens depending on its services daily. Going offline due to a cyber attack can deny people access to critical services. To minimise the impact of data breaches, it is important that councils are constantly prepared to prevent, detect and respond to attacks. While our findings show that councils are taking some steps to achieve this, approaches vary widely and, in many cases, are not enough.”
The report revealed that, on average, councils reported 1.77 breaches, with county councils reporting the most – 4.66 on average – and city, borough, district and unitary authorities reporting 1.45 on average. There was also a strong correlation between the size of the council – in terms of headcount – and the number of reported breaches. Those with over 2,000 employees reported an average of 2.6, but those with less than 2,000 employees reported an average of 0.8 breaches.
The data also highlighted some outliers, with one city council reporting 29 breaches in the space of 12 months – more than double the number reported by any other authority. Another revealed it had reported 15 in 2019, and eight in 2020.
A notable number of councils also experienced incidents that affected their ability to deliver citizen services – 10 reported that daily operations were disrupted because of a breach or ransomware in 2020, two of the most well-publicised ransomware victims being Redcar & Cleveland and Hackney.
The report also contains data on the extent of local government spending on security training – revealing that four in 10 councils spent no money on training programmes in 2020. Collective spend on training was £1.5m, working out at about £1.58 per employee. Among those councils that did spend, the average total invested in training programmes was £3,443, higher in Yorkshire and Humberside and London, but lower in Wales and Northern Ireland.
Notably, the council that spent the most on training – £38,873 – was also the one that reported the most breaches, suggesting that its high number of ICO reports may be a result of increased awareness among staff about what constitutes a data breach, as opposed to an increased number of incidents.