Cyber security

Local government shouldn’t underestimate its vulnerabilities when it comes to cyber security

Andrew Parsons, UK partner and cyber security expert at international law firm Womble Bond Dickinson

With targeted and increasingly sophisticated phishing scams continually on the rise, the ever-evolving world of digital communication presents the optimal backdrop from which fraudsters can readily strike. For local government, the big challenge is the wide range of information that is held often about vulnerable people or highly sensitive information. For example, children services or support for the elderly, medical records, or matters involving social services. Moreover, local councils naturally interact with a great many people but on an infrequent basis which means it’s not uncommon for them to be contacted by someone they have never spoken to before, and this makes it easier to impersonate someone to phish for information.

How can local government protect systems and people from cyber threat and what part does human behaviour play?

Practically, there are processes and checks which can be put in place to mitigate the risk of phishing scams, but in the first instance it’s important to understand the different forms they can take.

The different forms of phishing

Employees may be able to spot the more obvious phishing emails as they tend to have a couple of common themes; they either look completely innocuous or they tap into fear, for example “your bank account has been hacked”. Hackers will often tailor emails to topics relevant at the time and they will certainly tailor it to seen relevant to an organisation. A seemingly urgent email from someone imitating a senior member of staff is relatively simple to execute as this information is online for all to view.

People often expect to only be exposed to phishing through scam emails, leading them to wrongly assume the legitimacy of phone calls and divulge information. In a recent global report by Mutare, over 47% of businesses reported that they had experienced some form of voice phishing, or vishing, in the last 12 months.

Vishing occurs when someone phones you with the intent of deceiving you into sharing personal data with them. As a method of phishing, it came before email but has been making a resurgence in recent years. Large organisations are often targeted and should be extra cautious in terms of employee training and have complete clarity on which information employees are allowed to pass on over the phone.

Multifactor Authentication (MFA) fatigue attacks is a strategy used to get around multi-factor authentication and usually take the form of fake emails repeatedly requesting access information from someone. This can lead to the recipient eventually getting so frustrated they either turn it off or hand over security codes.

MFA fatigue attacks are relatively new, sophisticated methods, however in reality they make up only a small percentage of attacks. Phishing emails are still the most common threat, and, in these instances, it is a numbers game; the hacker will send hundreds or thousands of phishing emails to an organisation looking for that one click, playing the odds and hoping they can get past the barriers for at least one individual.

Is your supply chain vulnerable?

Supply chain attacks more commonly occur when you have outsourced part of your operations, such as your HR department or payroll, for example. Rather than trying to hack you directly, the hacker may go for one of your suppliers who have weaker security and are linked into your systems.  

It's not personal

Whilst people often think they have been personally targeted by the hacker, in most cases they haven’t – it is pure opportunity.

In less targeted attacks hackers don’t make decisions based on ‘interesting information’. The market value of the data is irrelevant, it’s what the value is to the organisation, to you. They will scan the internet and pick the lowest hanging fruit. That said, if they can, hackers will look to target different and specific demographics, for example the aged, the less experienced in roles and the vulnerable

Only a small number of hacker groups are using data to commit fraud, they aren’t stealing data to exploit it, they are stealing it to either sell or ransom it. There is a whole industry and eco-system based around the buying and selling of stolen data, running behind hacking attacks. In terms of how you get this information back; in most cases they send a ransom note. Some even provide instruction manuals and operate helplines to help victims to make payment of the ransoms

Human behaviour – a vital piece of the puzzle

Human behaviour plays a vital role in ensuring organisations and people stay safe and protected from the threat of phishing.

In the phishing space, human behaviour is critical. Ensuring everyone in your organisation has had regular training so they know the signs to look out for, as well as having a level of consciousness about their own data security are key.

You can also subscribe to various threat intelligence services which keep records of all the current known ‘scams’ so you can set up systems to weed them out and filter before they even get through to inboxes. However, keep in mind that you can’t filter everything.

 

Andrew Parsons can support with helping organisations maintain good cyber security practices and handling to data breaches.

For more information, visit: www.womblebonddickinson.com/uk/insights/hubs/reconnect

Cost of living crisis

PSE Jan/Dec 22

Cost of living crisis

Our December/January 2022 edition of PSE brings you expert comment and analysis on a range of key public sector topics, from levelling up to decarbonisation and the funding crisis. Learn how we can protect our public services, or read Cllr David Renard's discussion on how Local and central government are working together to support local needs, alongside so much more…

Videos...

View all videos
#PSE365: Public Sector Levelling up

Be A Part Of It!

PSE365: Public SectorLevelling up Virtual Event | 17 Nov 2022

PSE has created a full calendar of events to address the most important issues that influence the delivery of public sector services. 

Over 365 days you’ll have the opportunity to hear from a range of highly motivating, informative and inspirational speakers. These speakers will equip you with knowledge and unique insight to enable you to overcome the challenges that you face.

Upcoming Webinar

Webinar: Driving sustainability & value through technology end-of-life

End-of-life is often overlooked yet is equally as important to a digital strategy, but what happens to end-of-life technology? What is the impact on the environment, net zero targets? What is the financial impact, is value for money for the taxpayer simply discarded and destroyed along with the technology?
 

Join us on 13 September between 2:00pm-2:45pm where we look to address the lifecycle of a digital strategy with a focus on end-of-life using examples, achieving efficiency, increased sustainability and delivering cost savings.


Guest Panellists:

Adam Turner, Head of Government and Public Sector Sustainable ICT and Digital, DEFRA
Ben Levin, Senior Manager, Technology Assesment and Criteria Development, Global Electronics Council
Fredrik Forslund, Vice President, Enterprise & Cloud Erasure Solutions, Blancco
Ben Tongue, Digital Net Zero Lead, NHS England

More articles...

View all