Most UK councils have outdated cybersecurity, cannot afford cost of a breach

Almost two-thirds (59%) of senior leaders at UK councils says their approach to cybersecurity is outdated and that they are unable to afford the cost of a security breach. That’s according to new research by ERP SaaS provider TechnologyOne, who surveyed more than 500 senior managers at local authorities across the UK. The survey found that only a quarter ranked cybersecurity in their top three priorities whilst 26% acknowledged they have made “no progress” on upgrading cybersecurity.

UK councils have been battling with increasing numbers of cyberattacks over the past few years. In 2020, both Redcar and Cleveland Council and Hackney Council faced ransomware attacks that had significant financial impacts on their services, resulting in £10 million and £12 million worth of damages, respectively. The following year, a similar attack hit Gloucester City Council, affecting benefit payments, planning applications, and electoral data. The estimated cost to taxpayers for the council to rebuild its servers stands at around £845,000. More recently, Sefton Council has said that it is fighting off over 30,000 cyberattacks a month, a rise of 50%. Meanwhile, a delay to critical IT updates has led Bristol City Council to acknowledge that it is facing an increased risk of cyberattacks. UK councils were hit by 10,000 cyberattacks every day in August 2022, a 14% rise from the previous year.

Cyberattacks on councils are costly, pose a threat to democracy

The survey found a stark difference between the perception of councils and their residents, with 79% of residents believing that the online experience with their council is secure, while two-fifths of councils (38%) think the opposite. The councils falling behind most on cybersecurity are those in the South West, Yorkshire, North West, and Scotland, according to the research.

Cyberattacks on councils are costly for taxpayers and pose a threat to democracy, so its key that the UK government provides funding to help local authorities invest in modern IT systems that act as a first line of defence against cybercriminals, said Leo Hanna, executive VP, TechnologyOne. “This includes helping councils to move away from legacy, on-premises systems and upgrading instead to cloud-based SaaS. Systems held together by gaffer tape and chewing gum still deliver mission-critical services at local authorities across the country, but they need to be urgently overhauled if they are to remain secure.

Most councils would prefer to invest in quality teachers than frontline IT experts, Hanna admitted, but the reality is that the cost of an incident can be catastrophic and have lasting financial impact on a local community.

Bringing local UK council cybersecurity up to speed

The UK government’s National Cyber Strategy 2022 includes focus on making the public sector more resilient to external threats and bringing local council cybersecurity up to speed. “Our focus is also on making the public sector more resilient, helping councils protect their systems and citizens’ personal data from ransomware and other cyber-attacks,” it reads. A key recommendation is increased investment to enable law enforcement to pursue investigations at scale and pace, as well as a major step up in data sharing between the government and industry.

A whitepaper titled “A Councillor’s Guide to Cybersecurity” sets out guidance for improving the security of local councils, outlining the threats they face and how they can be addressed.