The UK’s local authorities are facing an unprecedented barrage of cyber-threats, amounting to almost 800 every hour in the first half of 2019, according to insurance broker Gallagher.
Of the 203 councils that responded to the firm’s Freedom of Information (FOI) requests, nearly half (49%) had been targeted since the start of 2017, with over a third (37%) attacked in the first half of the year.
Over the first six months of 2019, those councils experienced 263 million attacks — a number that is likely to be much higher if those authorities which chose not to answer the FOI request were factored in.
However, despite the barrage, most authorities seem to be holding up: just 17 attacks were reported to have resulted in the loss of data or money, although one council reported the loss of over £2m, according to Gallagher.
Just 13% of local authorities have cyber insurance, a figure the firm would obviously like to see much higher.
“Councils are facing an unprecedented number of cyber-attacks on daily basis. While the majority of these are fended off, it only takes one to get through to cause a significant financial deficit, a cost which the taxpayer will ultimately foot,” argued Tim Devine, managing director of Public Sector & Education at Gallagher.
“Costs and reputational damage at this scale can be devastating for public authorities, many of which are already facing stretched budgets. In many scenarios, the people responsible for purchasing cyber-insurance products need decisions to be made at member, or management level. The cyber threat and the need for cover needs to be high on every local authority’s agenda.”
However, most of the attacks noted in the report are likely to be the result of “automated probing and discovery tools” and therefore should not be classed as true security incidents, according to Tripwire senior director, Paul Edon.
“However, the truth of the matter is that many local authorities and councils still remain unprepared for a true cyber-attack,” he added.
“To get security right, organizations need to get the basics right. Start by understanding the risk you have. You must conduct regular, preferably continuous, assessments of configuration and vulnerability risk across your IT systems. Then ensure systems are regularly patched and upgraded. Following these basic security hygiene rules will go a long way to making your systems secure and the attackers’ job more difficult.”