Local governments play a vital role in our communities, providing essential services such as education, public safety, and social welfare. As they manage vast amounts of sensitive data and ensure the smooth operation of services we rely on daily — from local schools and public parks to street safety and public health — the need for robust cyber security for local government becomes critical. However, their extensive responsibilities and significant data holdings make them prime targets for cyber criminals.
In recent years, local governments have faced a surge in cyber attacks. These have disrupted services, compromised sensitive information, and incurred significant financial costs. This post explores the unique cyber security challenges local governments face and how tailored support can support them in protecting their systems and the essential services they provide.
What are the unique cyber security challenges of local governments?
Vast and Diverse Data Holdings.
Local councils and government bodies manage a wide range of sensitive data, including personal records, financial information, and details about public infrastructure and emergency response plans. This makes them attractive targets for cyber criminals.
For instance, councils often store data on housing benefits, social care records, and educational services. These are all are valuable for identity theft and fraud. The cyber attack on the London Borough of Hackney in October 2020, which led to the encryption of personal and financial data, severely disrupted services like council tax and housing benefits. Similarly, the attack on Redcar and Cleveland Borough Council in February 2020 resulted in months-long service disruptions and over £10 million in recovery costs. These incidents highlight the critical importance of securing the sensitive data managed by local governments.
Recently, Greater Manchester councils faced a similar challenge. A significant cyber attack in August 2024 targeted the housing websites for Manchester, Salford, and Bolton councils, managed by the software provider Locata. This attack led to thousands of residents receiving phishing emails attempting to steal personal data. The councils responded by taking their websites offline and advising residents on how to protect their information. This incident emphasizes the vulnerability of third-party services and the importance of extending security measures to all associated vendors.
Ageing Infrastructure and Legacy Systems.
Many local governments rely on outdated IT infrastructure and legacy systems that lack modern security features. These systems are difficult to update or integrate with newer technologies, creating significant vulnerabilities.
The 2017 WannaCry ransomware attack, which exploited a vulnerability in older versions of Microsoft Windows, exemplifies the risks posed by outdated systems. The attack caused widespread disruption, including in the NHS in the UK, which shares similar IT challenges with local governments. Over 19,000 medical appointments were cancelled, and operations were severely affected, impacting more than 230,000 computers in over 150 countries.
Local councils often face similar challenges, struggling to manage and secure legacy systems while attempting to modernise their IT infrastructure. Budget constraints frequently force councils to prioritise immediate service needs over long-term IT investments, perpetuating reliance on outdated systems and increasing vulnerability to cyber attacks.
Budgetary Constraints and Resource Limitations.
Tight budgetary constraints and limited resources significantly hinder local governments’ ability to implement comprehensive and effective cyber security measures. Financial challenges often lead to a reactive approach, where councils deal with incidents as they occur rather than investing in preventive measures.
“At the moment, we’re not getting funding streams through to do what we’re doing…Budgetary constraints are incredibly ferocious at the moment. Cyber security is a 24/7 problem. And we’re not paid to do that. So, everything’s been done on kind of grace and favour and best endeavours outside of hours.”
Public sector organisation, 250-999 employees from Ipsos, Cyber security skills in the UK labour market 2023: findings report
These constraints extend beyond technology, impacting the ability to attract and retain skilled cyber security professionals due to competitive job market conditions.
Local governments can struggle to match the lucrative salaries and benefits offered by the private sector. This leads to a significant skills gap within IT departments and making it difficult to manage and mitigate cyber risks effectively.
Complexity of Operations.
Local governments oversee a diverse array of services, each with unique cyber security needs. This diversity complicates the implementation of uniform security measures and often results in a fragmented approach, with different departments adopting disparate security practices.
The varied nature of these services — from public transportation systems and utilities to healthcare, social services, and educational facilities —can create security gaps and inconsistencies in policy enforcement. Integration of IT systems across various departments can be problematic, making it harder to maintain a cohesive security strategy.
Human Risk.
Human error is a pivotal factor in cyber security, especially in local government environments where employees regularly handle sensitive information. Phishing scams and social engineering attacks are prevalent methods used by attackers to compromise systems in the public sector.
Phishing attacks exploit human vulnerabilities by tricking individuals into revealing sensitive information or clicking on malicious links. The 2023 Cyber Security Breaches Survey reports that 83% of organisations experiencing cyber incidents were affected by phishing attacks. Local government employees are particularly susceptible due to their access to a wide range of sensitive data.
A notable example is the cyber-attack on Gloucester City Council in December 2021. It began with a spear-phishing email appearing to come from a trusted supplier. An employee clicked the malicious link, allowing attackers to infiltrate the council’s network, causing significant service disruptions.
The recent phishing attack on Greater Manchester councils further highlights the human risk. The attackers targeted residents through emails that appeared to be legitimate requests from local authorities. This incident demonstrates the need for continuous education and training to help both staff and residents recognise and respond to such threats.
This incident underscores the importance of robust internal security policies and awareness programs to mitigate human risks, similar to the measures that we have supported Camden Council in taking with their deployment of Hoxhunt.
Strengthen Cyber Security for Local Government Despite Challenges.
Local governments are fundamental to the fabric of our communities, managing sensitive data and providing essential services. However, the challenges they face—ranging from vast data holdings and outdated systems to budget constraints and complex operations—make them particularly vulnerable to cyber attacks.
To effectively navigate these challenges, local governments need tailored cyber security solutions that address their specific needs and constraints. At Secon Cyber, we work closely with local councils, such as Camden Council, to secure legacy systems, manage human risks, and implement cost-effective security measures.
Are you part of a local government organisation in need of support with cyber security? Contact us to explore how our customised solutions can help protect your systems and services. Partner with us to safeguard your community today and prepare for the threats of tomorrow.