The Local Digital Collaboration Unit Cyber team has come to the end of a two-month discovery into cyber security at local authorities.
The purpose of the discovery was to investigate how MHCLG might support local authorities to reduce the incidence and impact of cyber attacks, and support sustainable cyber health.
During a short exploration phase earlier this year, the team sought to understand the wider cyber security landscape within government, including what support is available and who provides it, while gathering evidence from councils and stakeholders. We were then able to identify three key themes and assumptions to focus on during the discovery:
- Secure by design - could vulnerability to cyber attacks be reduced if local authorities built, planned and maintained services in a secure manner?
- Standards and guidance - would cyber security risk decrease at local authorities if they subscribed to clear standards, expectations and goals?
- Roles, responsibility, accountability - would cyber security risk be reduced if the behaviours, ownership and responsibility for cyber health at local authorities were improved?
What we’ve done during discovery
Over the course of 8 weeks, the team has:
- conducted 37 virtual user research interviews across 7 different role types, engaging with 27 different organisations
- reached out to several other government departments that deliver cyber security programmes, including NHS-X, NHS Digital, MoJ Digital and the Scottish Government, to share our learning and to learn from their experience
- analysed the impacts of previous malicious cyber attacks using case studies and cost data
- conducted two workshops with key stakeholders in order to explore ideas and solutions from key experts in the industry
- refined the three prioritised themes from pre-discovery: ‘Standards and Guidance’, ‘Ownership, Responsibility and Accountability’ and ‘Secure by Design’
- held a systems thinking session with the Government Security Group (GSG) and Local Government Association (LGA) to explore causal links between people, process and technology in a complex context of cyber security and local government
- Created a detailed proposal for technical remediation activity for selected “at risk” councils highlighted in the ransomware survey (a survey we sent to councils to understand their risk and mitigations against a ransomware attack)
To make sure our work is visible, we held fortnightly Show and Tells, published updates in sprint notes, and met with people across Government (and other interested parties) to share our work.
What we discovered
Building on the work completed during pre-discovery, we were able to gain a clearer picture of problems and opportunities.
These are some of the key findings that came out of the discovery:
- There are many cyber standards, but no clear baseline.
- An effective cyber baseline must encompass culture, leadership and ‘cyber first’ processes.
- Leadership support is vital to embed standards and best practices across the organisation.
- Leaders need to understand cyber risk to inform their decisions.
- Legacy technology is a critical blocker to achieving cyber health.
- There is an opportunity for councils to collaborate in order to achieve greater security.
Through our research it became clear that, while councils are doing the best they can with the resources and knowledge they have, there are a number of areas in which MHCLG might provide support.
What happens next
After having researched the problems and challenges that local authorities faced in improving their cyber security, we sought to generate holistic solutions that solve the largest amount of pains. Through a series of workshops with stakeholders and local authorities, we identified the main areas of focus to solve the known problems. We then selected the top five areas of opportunity for MHCLG and key stakeholders to progress into alpha.
- Cyber Health Framework - develop a framework of cyber security standards and guidance that organisations can apply in order to achieve a minimum level of cyber health and measure where they are against this baseline
- Cyber Roles - formalise the role of the decision-maker for cyber security at the executive level within local authorities, with clear lines of communication to that person
- Peer Support - explore how to formalise a professional network for cyber security professionals from local authorities and create a trusted ‘safe space’ where peers are able to share and learn
- Training and Support - provide a range of training that fosters cyber responsible attitudes and behaviours
- Technical Remediation - provide support to councils identified through the recent survey on mitigating malware and ransomware
We are currently submitting bids to secure funding for the continuation of this work. Some of the work will be owned and carried out by MHCLG directly and some we will look to collaborate with stakeholders and leaders in this space on. We want to continue our collaboration and research with local authorities in developing the cyber framework and to continue to test our findings and recommendations using a user centred and evidence based approach.
We will look to support the councils identified as “at risk” in the ransomware survey as an immediate action.