Hundreds of councils across the UK suffered data breaches last year, according to new Freedom of Information (FOI) research from Redscan.
The managed security services provider used official FOI responses from over 60% of the country’s 398 local authorities to compile its new report, Disjointed and under-resourced: Cyber security across UK councils.
Extrapolating these results, Redscan estimated that there were over 700 breaches reported to data protection regulator the Information Commissioner’s Office (ICO) last year. The average number reported by county councils (4.6) was more than double that of the total figure (1.8).
The report also noted that those reporting the most breaches tended to be the largest councils.
On the face of it, things are improving: the 2020 figure for breached councils (704) was around 10% lower than 2019 estimates (786).
However, the threat to local government is still high, Redscan warned.
Some ten councils confirmed they had been victims of ransomware or had experienced breaches that disrupted their operations last year. One reported 29 breaches to the ICO in just a single year.
Although not broken down by breach type, many of the incidents organizations report to the ICO stem from employee negligence, such as emailing information to the wrong recipient or failing to BCC users.
That’s why the report called out staff training as a key area of scrutiny.
Around 40% of local authorities spent no money on this crucial area in 2020, while nearly half (45%) were found to employ no staff with recognized security qualifications.
An estimated £1.5 million was spent in total among UK councils on security awareness training, which amounts to just £1.58 per employee, Redscan claimed.
The firm’s CTO, Mark Nicholls, argued that there’s plenty of room for improvement for local authorities.
“Every council has thousands of citizens depending on its services daily. Going offline due to a cyber-attack can deny people access to these critical services,” he added.
“To minimize the impact of data breaches, it is important that councils are constantly prepared to prevent, detect and respond to attacks. While our findings show that councils are taking some steps to achieve this, approaches vary widely and, in many cases, are not enough.”