Cyber Incident Response: Your last line of defence - get better prepared

Managing a cyber-attack and recovery plan – Gloucester City Council

Gloucester City Council (GCC) experienced a sophisticated ransomware attack that encrypted its servers and disrupted services. The attack began with a spear-phishing email, which led to malware installation and eventual data exfiltration and server encryption.

Challenges

  • Loss of access to IT systems and data
  • Disruption to public-facing services, ranging from a few days to several months
  • Potential data breach, with around 240,000 files transferred to an unknown destination
  • Communication difficulties with business partners who blocked electronic communications
  • Balancing the need for quick service restoration with security considerations

Approach

  • Immediate activation of business continuity plans
  • Engagement with National Cyber Security Centre (NCSC) and National Crime Agency (NCA)
  • Implementation of temporary workarounds for critical services
  • Decision to build a completely new system rather than restoring the old one
  • Transition to cloud-hosted solutions for line of business applications
  • Enhanced security measures, including implementing security information and event management (SIEM)

Outcomes and benefits

  • Successful restoration of critical services, including timely benefit payments
  • Implementation of a more robust and secure IT infrastructure
  • Improved cyber security awareness and practices among staff
  • Enhanced business continuity and disaster recovery plans
  • Strengthened relationships with partner organisations and support networks

Lessons learnt

  • The importance of having a specific cyber incident plan, including a communications strategy
  • Dangers of customising applications, which can cause compatibility issues during recovery
  • Need for more focused training on cyber threats, data protection and file management
  • Importance of cautious dealings with external suppliers, including the use of a supplier risk dashboard
  • Recognition that despite preparations, cyber attacks can happen to any organisation
  • Value of cloud-hosted solutions in minimising disruption during cyber incidents

View original case study article at local.gov.uk