Third-party IT consultants can implement cyber security solutions that enable 360-degree visibility and 24×7 tactical coverage
AJ Thompson, CCO at Northdoor plc
According to the Information Commissioner’s Office (ICO), there was an 8,000 percent increase in the number of people affected by financial data breaches in central government between 2019 and 2023.
The figures suggest that there might be a crisis in data security in central government, following a spate of massive cyber breaches. The figures derive from reports of ‘personal data breaches’ (PDBs) made under Article 33 of the UK GDPR to the ICO.
Tougher enforcement is key in the public sector
The worrying figures were part of a Freedom of Information (FOI) request by the ICO and were not actively published. There also doesn’t seem to be any explanation around the seriousness of the issue or how it is being dealt with.
Even though not every PDB is serious enough to require action, there will be a lot of near misses. With the figures showing a massive increase in the number of people impacted between 2019 and 2023 and a noticeable upturn between 2022 and 2023 (from 70 million to 195 million), this shows a pressing need for the ICO to consider if there needs to be tougher enforcement in the public sector instead of pursuing its current “soft” approach.
The ICO has confirmed that it is looking into a review regarding its approach to enforcement in the public sector, after the two-year, softer approach trial. However, it hasn’t revealed if the increase in central government data breaches requires action.
Widely reported ICO incidents
With data breaches on the rise, government bodies must do more to improve cybersecurity. It is vital that there are robust protections in place to secure the data and the information held within it. Public sector staff also need to have the knowledge and training to handle such data securely. However, all too often this doesn’t happen.
The risk of a security breach has become an increasing reality for local government in the UK. For example, Sefton Council experienced 50 percent more cyber-attacks every month, a figure in line with a global increase in incidents, according to a new report.
Sefton council found that it was being targeted for the security of its IT infrastructure. The council admitted that significant work needs to be done to prevent future attacks. Third-party IT consultants can help local government to implement new security practices and tools and ensure that council staff, who are the last line of defence, are trained to recognise a potential attack and deal with it appropriately.
Similarly, Bristol City Council is also at an increased risk of a cyberattack due to delayed critical IT updates. Legacy software is a huge risk to local government and a key target for cyber-attacks.
The Gloucester City Council cyber-attack is also a reminder to all local governments across the UK, just how vulnerable everyday services are. Russian-based hackers, who were believed to be responsible for the attack in December 2021, disrupted numerous services for thousands of residents: including benefit payments, planning applications and house sales, as well as councillors being blocked from emailing other organisations. The council had to rebuild all of its servers as a result of the attack and the latest estimate suggests the bill to the taxpayer stands at just under £800,000.
Transparency is crucial
Cybercriminals are becoming more and more sophisticated. However, this shouldn’t let local government departments off the hook. If they have done everything in their power to protect data and have robust security processes and procedures in place, it is unlikely that they would be successfully fined by the ICO.
All too often, people are unaware that their data has been compromised until they hear that their local government department has been fined. Under GDPR organisations must tell you if your data has been compromised and local government needs to work harder to adhere to the regulations, with the ICO being more transparent around all incidents.
Third-party IT consultants can help
Local governments need to ensure strong security procedures are in place to minimise the threat of cybersecurity breaches. Third-party IT consultants can help them to implement cyber security solutions that enables broad visibility and works seamlessly with existing technology stacks. Using Managed Detection and Response (MDR), Managed Risk, Managed Cloud Monitoring, and Managed Security Awareness, all supported by third-party IT support.
Third-party IT consultants can provide 24×7 tactical coverage and ongoing strategic security recommendations, acting as an extension of an organisation’s internal team to improve its security posture. By turning to AI-powered solutions, local governments can have a 360-degree view of where potential vulnerabilities might lie. This ensures that data is protected from cybercriminals, whilst maintaining reputation and decreasing the risk of an ICO fine.
