Over the last few years, councils have been increasingly hit by cyber-attacks – often with devastating consequences. In 2020, Hackney council was the victim of a ransom attack that saw criminals encrypt 440,000 files, costing the council £12 million and resulting in an ICO reprimand. 

Also in 2020, Redcar and Cleveland Borough Council was hit by a ransomware attack that took down key systems including online public services. The attack forced staff to resort to pen and paper, and reportedly cost over £10 million. 

More recently, in September this year, an attack on Tewkesbury Borough Council forced the organisation to shut down its systems.  

Ransomware is an attack vector of choice, but adversaries are also using distributed denial of service (DDoS) to take out council websites and cause maximum disruption. Only the other week, Russian group NoName057(16) claimed responsibility for DDoS attacks on websites including Salford, Bury, Trafford and Tameside councils. 

Attacks on third parties are another means for adversaries to target councils. In July, thousands of Greater Manchester residents were hit by phishing scams after an attack on a local housing company.  

So why are councils at such a great risk from cyber-attacks and what can be done to better protect them?  

An easy target 

Limited cybersecurity budgets and vast amounts of sensitive data make councils an attractive target. Councils hold vast amounts of sensitive information, which makes them “prime targets”, says  Graeme Stewart, head of public sector at Check Point Software.  

He cites the example of council tax details such as names, addresses, dates of birth and bank information, which criminals see as “valuable data”. 

It’s made worse by the fact that councils often lack the resources to safeguard the information they hold. Many operate on older IT infrastructure, and smaller councils have limited cybersecurity budgets, Stewart says. “This leaves them more vulnerable to advanced attacks that their systems may not be designed to withstand.” 

At the same time, councils often outsource services such as waste management and social services to third-party providers in order to cut costs. This introduces supply chain risks, Stewart says. “Attackers may exploit weaker security in third-party systems, using them as a backdoor into council networks.” 

Damian Garcia head of GRC consultancy at IT Governance, says he’s worked with many councils that struggle to maintain consistent training and access controls, leaving them open to breaches. “Combined with the rise of sophisticated attacks on the public sector, this creates a particularly risky environment.” 

Phishing, ransomware and unauthorised access are the top threats councils face, says Garcia.  

Ransomware attacks can also be particularly effective. Councils may be more inclined to pay the ransom to get systems back up and running, says Hannah Baumgaertner, head of research at Silobreaker. “Any downtime could have devastating consequences and create an immense backlog of tasks for a council, putting additional pressure on already overworked organisations.” 

Boosting resilience

It’s clear councils are at increasing risk, so how can they boost resilience as budgets tighten? It’s not just about technical controls, according to experts.  

“While technical defences such as well-configured firewalls and advanced security systems are crucial, these alone do not fully address the risk,” says Durgan Cooper, CETSAT chairman, cybersecurity expert and House of Lords adviser.  

Taking this into account, simply spending more on the latest technology isn’t enough, he says. Councils must focus on implementing “cost-effective security solutions” that provide “real value for money”, says Cooper. “Over-engineered defences, which often come at a significant expense, are not always the most appropriate or efficient way to protect citizens' data.” 

Well-planned, practical security strategies that leverage affordable technology, combined with strong staff awareness, offer a better approach, he says. 

It starts with the basics. Councils should ensure they have the necessary cybersecurity protections and that all employees' workstations are running with the latest software updates installed, says Baumgaertner.   

To reduce risks, councils need to foster a robust cybersecurity culture, with targeted training, up-to-date access controls and a strong incident response plan, Garcia says. “Regularly refreshing protocols and conducting insider threat assessments are essential, as is monitoring for unusual activity among staff with high access. Proactively addressing these vulnerabilities helps protect sensitive data and avoid costly regulatory penalties.” 

Social engineering, in particular phishing attacks, are the most common way through which organisations are breached and ransomware is spread, says Javvad Malik, lead security awareness advocate at KnowBe4. 

He says focusing on protecting employees from social engineering attacks “can be one of the most effective ways to reduce the overall risk, at considerably less cost than upgrading all IT systems”. 

With this in mind, employees should also be wary of any unexpected communication via email, SMS, or social media, Baumgaertner says.  

She also advocates regular cybersecurity awareness training to make sure all staff are “confident in identifying potentially malicious behaviour”, and know who to report such activity to. “This will help in identifying any suspicious activity early, which is essential in stopping any attack that may have made it past initial defences.” 

Cybersecurity training should be tailored to specific roles, Stewart says. “For instance, social workers dealing with critical cases shouldn’t have to focus on cybersecurity – it’s our job as cybersecurity professionals to make it seamless and effective.”

Kate O'Flaherty Cybersecurity and privacy journalist