Cyber security

Local government shouldn’t underestimate its vulnerabilities when it comes to cyber security

Andrew Parsons, UK partner and cyber security expert at international law firm Womble Bond Dickinson

With targeted and increasingly sophisticated phishing scams continually on the rise, the ever-evolving world of digital communication presents the optimal backdrop from which fraudsters can readily strike. For local government, the big challenge is the wide range of information that is held often about vulnerable people or highly sensitive information. For example, children services or support for the elderly, medical records, or matters involving social services. Moreover, local councils naturally interact with a great many people but on an infrequent basis which means it’s not uncommon for them to be contacted by someone they have never spoken to before, and this makes it easier to impersonate someone to phish for information.

How can local government protect systems and people from cyber threat and what part does human behaviour play?

Practically, there are processes and checks which can be put in place to mitigate the risk of phishing scams, but in the first instance it’s important to understand the different forms they can take.

The different forms of phishing

Employees may be able to spot the more obvious phishing emails as they tend to have a couple of common themes; they either look completely innocuous or they tap into fear, for example “your bank account has been hacked”. Hackers will often tailor emails to topics relevant at the time and they will certainly tailor it to seen relevant to an organisation. A seemingly urgent email from someone imitating a senior member of staff is relatively simple to execute as this information is online for all to view.

People often expect to only be exposed to phishing through scam emails, leading them to wrongly assume the legitimacy of phone calls and divulge information. In a recent global report by Mutare, over 47% of businesses reported that they had experienced some form of voice phishing, or vishing, in the last 12 months.

Vishing occurs when someone phones you with the intent of deceiving you into sharing personal data with them. As a method of phishing, it came before email but has been making a resurgence in recent years. Large organisations are often targeted and should be extra cautious in terms of employee training and have complete clarity on which information employees are allowed to pass on over the phone.

Multifactor Authentication (MFA) fatigue attacks is a strategy used to get around multi-factor authentication and usually take the form of fake emails repeatedly requesting access information from someone. This can lead to the recipient eventually getting so frustrated they either turn it off or hand over security codes.

MFA fatigue attacks are relatively new, sophisticated methods, however in reality they make up only a small percentage of attacks. Phishing emails are still the most common threat, and, in these instances, it is a numbers game; the hacker will send hundreds or thousands of phishing emails to an organisation looking for that one click, playing the odds and hoping they can get past the barriers for at least one individual.

Is your supply chain vulnerable?

Supply chain attacks more commonly occur when you have outsourced part of your operations, such as your HR department or payroll, for example. Rather than trying to hack you directly, the hacker may go for one of your suppliers who have weaker security and are linked into your systems.  

It's not personal

Whilst people often think they have been personally targeted by the hacker, in most cases they haven’t – it is pure opportunity.

In less targeted attacks hackers don’t make decisions based on ‘interesting information’. The market value of the data is irrelevant, it’s what the value is to the organisation, to you. They will scan the internet and pick the lowest hanging fruit. That said, if they can, hackers will look to target different and specific demographics, for example the aged, the less experienced in roles and the vulnerable

Only a small number of hacker groups are using data to commit fraud, they aren’t stealing data to exploit it, they are stealing it to either sell or ransom it. There is a whole industry and eco-system based around the buying and selling of stolen data, running behind hacking attacks. In terms of how you get this information back; in most cases they send a ransom note. Some even provide instruction manuals and operate helplines to help victims to make payment of the ransoms

Human behaviour – a vital piece of the puzzle

Human behaviour plays a vital role in ensuring organisations and people stay safe and protected from the threat of phishing.

In the phishing space, human behaviour is critical. Ensuring everyone in your organisation has had regular training so they know the signs to look out for, as well as having a level of consciousness about their own data security are key.

You can also subscribe to various threat intelligence services which keep records of all the current known ‘scams’ so you can set up systems to weed them out and filter before they even get through to inboxes. However, keep in mind that you can’t filter everything.

 

Andrew Parsons can support with helping organisations maintain good cyber security practices and handling to data breaches.

For more information, visit: www.womblebonddickinson.com/uk/insights/hubs/reconnect

PSE December/January 2024

PSE December/January 2024

Northumberland’s climate change resource is empowering the next generation

Dive into our latest edition for December/January. Discover insightful articles on climate change, innovation in nuclear decommissioning, fostering collaboration, and more.

 

Videos...

View all videos
#PSE365: Public Sector Events

Be A Part Of It!

PSE365: Public Sector Virtual Events

PSE has created a full calendar of events to address the most important issues that influence the delivery of public sector services. 

 

Over 365 days you’ll have the opportunity to hear from a range of highly motivating, informative and inspirational speakers. These speakers will equip you with knowledge and unique insight to enable you to overcome the challenges that you face.

 

See our full events calendar and register now! 

Public Sector Executive Podcast

Ep 48. Achieving Net Zero - Cllr Abdul Jabbar - Oldham Council

As central government aims for the UK to be net zero by 2050, councils around the country make plans for how to reduce emissions. This episode’s guest, Oldham’s Councillor Abdul Jabbar outlines the importance of coming together to reduce the nation’s carbon footprint, the benefits of achieving net zero, and how Oldham Council are working to do just that.
 

Touching on the role that the public sector can play in sustainability, Cllr Jabbar said:
 

“I think it’s really important that the public sector gives true leadership in this space. I think something like one third of the carbon emissions in the country come from the public sector, so obviously we’re a big polluter in terms of the emissions.”
 

Councillor Jabbar also spoke about challenges being faced by organisations:
 

“I think the biggest one has been finance. Clearly the local government sector in particular has had its grants cut from central government by a huge amount and that’s had a very big impact in terms of our plans to take forward projects in relation to climate change, so that’s a major issue.”
 

To hear what Cllr Jabbar has to say about the mission to achieve net zero carbon emissions, listen to the latest episode of the Public Sector Executive Podcast.

More articles...

View all