UK local authorities have proved to be regular victims of a variety of cyber attacks. Unfortunately, this is unlikely to change in the short term and so our advice is that all councils, no matter their size should be taking positive steps to become more resilient, so that they can survive and thrive after an incident.
All the senior leaders from across the organisation, no matter what directorate they run or title they have, play a critical role in this shift. The strategic levers that drive resilience sit firmly at the top and from their commitment flow down to the rest of the organisation.
This is about risk appetite, investment, prioritisation and accountability. The goal is ensuring that the organisation can continue to deliver vital public services even under extreme stress until their systems and processes are available again.
Don’t allow dashboards and board presentations to create a false sense of security. As a senior leader, go and sit with the security team, ask them about their actual challenges with making changes within the IT environment, listen to their pain points and help them defend your organisation by driving through the changes they identify.
Start with what can be done immediately – 24/7 security monitoring
There are some steps that councils should take as quickly as possible and some that will take longer to implement given the challenges of budget, reorganisations, and elections.
In the short term, a sensible first step is ensuring that the IT estate is monitored 24/7, so that a response to an incident can start straight away. Obviously, to do this there has to be a good understanding of the infrastructure, where the data is and how it flows internally and externally, so that it can be effectively secured. But don’t wait for perfect knowledge; make the move to effective security monitoring as soon as possible.
Reviewing the IT estate – both in-house and SaaS provided – through a variety of lenses is then likely to identify significant opportunities to reduce the attack surface:
1 - Strengthen identity and authentication across the board
Review the accounts that are on the estate. We regularly see contractor, guest, generic and shared accounts that haven’t been used recently. These are risks that can be removed.
For remaining accounts, insist on multi factor authentication (MFA) using an app rather than SMS. Of course, these should be tied to complex and unique passwords – implementing these across the entire estate will help reduce the chance of an attacker just logging in. All too often passwords policies are not stringent enough nor enforced and MFA is limited to certain applications or processes. This needs to change. If MFA can’t be added then alternative restrictions need to be in place immediately.
2 - Address password reuse realistically
We know that staff reuse passwords on multiple internal and external (Saas and web application) so use single sign-on or provide a password manager so that complex passwords do not become a burden to your users.
3 - Control and protect privileged access
Reducing the number of accounts with administrator or similar rights is essential. We often discover that the Active Directory configuration has drifted over time, with new and nested groups given unnecessary levels of privileged access.
For those remaining administration accounts, locking them down with phishing resistant MFA and using privileged access workstations (PAWs – a separate machine used just for administration activity) will make it harder for an attacker to elevate their rights. This means the attacker is less able to cause the sort of damage that we have seen so often.
A final thought for senior leaders
There are many more ways to reduce risk and enhance resilience of your estates; from well designed and tested back-ups, to external security testing of your applications and estate. But you need to make changes now. Cyber incidents are not hypothetical. For the UK’s local authorities, they are predictable, frequent, and will disrupt essential services upon which communities rely.
You should make sure that departmental and corporate business continuity plans are designed to cope with no access to IT for an extended period; it’s harder than you think, but not impossible.
The councils that come through these challenges strongest will be the ones that:
- Build organisational - not just technical – resilience
- Invest early in monitoring
- Enforce strong authentication
- Reduce privileged access risk
- Support staff with secure, usable tools
- Plan and exercise to respond effectively
The threat landscape is complex, and councils face constraints that private organisations often don’t. Engaging with experienced partners who understand public sector environments can accelerate and strengthen risk reduction.
At NCC Group, our teams work with councils every day, providing practical guidance on where to focus, how to prioritise, and what actions deliver the most rapid reduction in exposure.
