“We are continuing to focus our digital programmes on building take-up. A number of our services are now at over 80%, delivering significant service and efficiency benefits”Kevin Powell, Executive, Director, Broxtowe Council, England
Like all organisations, public services and local government, in particular, will be increasingly vulnerable to cyberattacks in 2023 (see Figure 1 below). Not only are the rates of attacks increasing and with greater sophistication, but the public sector is a growing target in its own right. Notably, AI will be weaponised as a cyberattack vector in the coming year.
In 2023, cyber threats facing public bodies will come from inside the organisation as well as externally, requiring a holistic response – a ‘mesh’ of protection including technical and non-technical measures.
“Criminal organisations used to attack banks because that was where the money was. Now that banks have become a really hard target, these organisations are looking elsewhere, always weighing up the profit to be made against the effort required. Today, local governments are an easy target with valuable data, which makes the effort a lot less than the profit. Local governments need to step up and make sure they are not targets of interest to criminal organisations.”Youri Segers, Chief Digital Officer, City of Antwerp and Chief Executive Officer, Digipolis, Belgium.
Remote working and distributed service provision across traditional boundaries, implemented during the pandemic, will require a matching and distributed approach to cyber security in 2023, with consolidated security policies across service areas, with partners and through the supply chain.
Growth in technologies such as Artificial Intelligence (AI) and Internet of things (IoT), particularly in sensitive areas such as housing and welfare benefits, and health and social services, must be accompanied by strong, inbuilt cyber resilience.
This includes faster detection and response to breaches as well as protection measures. Hayes Connor Data Breach Solicitors have revealed that UK local authorities are still taking over 72 hours on average to report nearly half of all data breaches.
‘The public puts a lot of trust in industries such as the health, government, and education sectors, with the expectation that their data is going to be handled securely. With so many of these data breaches being caused by human error, it’s very clear that these industries are in dire need of data handling training, at the very least.’ (source)Christine Sabino, Legal Director, Hayes Connor Solicitors, UK
As reported by Alan Shark, these risks are brought into even sharper focus by the difficulties in obtaining and affording cyber insurance, the need to move away from traditional perimeter-based security to zero trust models, and the lag in introducing effective user identity and access controls.
Others focus on the challenges involved in recruiting to cybersecurity roles and the need to draw upon diverse talent pools.
“Security is a rapidly evolving space, made up of numerous different technologies, and no single person is expected to possess every characteristic …. A curious mind, an ability to think about the rules and how to break them, and a willingness to learn are the most important traits we look for.”Lee, M. (2019) Stop Looking for the Purple Squirrel: What’s Wrong With Today’s Cybersecurity Hiring Practice, ISACA Journal
CIOs also report that there is a renewed focus on the supply chain (and not just IT suppliers) with increasing scrutiny of existing and new suppliers in relation to cyber insurance checks, compliance and data management.
“At Hackney we took cyber very seriously long before our cyberattack, investing in IT and moving to the cloud. That has taught us that if it can happen to us, it can happen to suppliers even if they have a strong assurance position.”Rob Miller, Strategic Director for Customer and Workplace, Hackney Council, England.
‘Having attended the Major Cities of Europe (MCE), the ALGIM conference in New Zealand and the Linked Organisation of Local Authorities (LOLA) annual planning meeting towards the end of this year, the most common challenge and priority area for the majority of CIOs is cyber security and resilience.”Nadira Hussain, Socitm CEO, UK.
In response to all these challenges, New Zealand, as one leading example, has taken a proactive approach to helping public services to improve their cyber compliance, as outlined in the ALGIM case study below.
ALGIM, New Zealand – cybersecurity assessment
The Association of Local Government Information Management (ALGIM) provides professional development and thought leadership across a range of local government professions in Aotearoa New Zealand. Its local government cybersecurity assessment, based on 300 internationally recognised controls, helps public service organisations to assess their current cyber compliance position, with comparisons against other organisations available. ALGIM uses the information generated to target cyber training and support to the sector.
“The importance of ensuring public sector organisations are fully prepared for cyberattacks has never been greater. ALGIM awards councils who demonstrate the greatest improvement in their compliance rating every year, within the ALGIM Local Government Compliance Framework.”
– Mike Manson, Chief Executive Officer, ALGIM, Aotearoa New Zealand.