Local authorities hold vast amounts of personal data on their citizens – and have less and less budget with which to protect it – what is the solution?
Between August 2008 and August 2011, there were 1,035 data breaches in local councils*. Some breaches involved lost laptops, memory sticks and confidential printed material; others consisted of sensitive information being sent to the wrong recipient; and some were the result of phishing attacks. Put another way, it is estimated that councils have lost the personal details of more than 160,000 people in five years.
Councils hold privileged, personal information on all of us. As such, they are an obvious target for attackers. They are also highly visible, meaning large-scale data loss can cause great damage to their reputation.
But, in the face of increasing – and increasingly sophisticated – phishing attacks, councils have less and less budget to spare on protecting themselves. Councils in England will see their overall spending power fall by an average of 1.8% this year, the government says, whilst some local authorities will see it drop by as much as 6.4%*.
Even in the face of these cuts, councils are under pressure to invest in new technologies, better infrastructure and state of the art solutions. It is hard for them to find any budget leftover for greater security awareness and protection.
Where should councils start in deciding how best to protect their data?
If a council has not had a recent organisation-wide phishing assessment, this is a good, low-cost place to start. It identifies a baseline, defines exposure and reveals the likely ball-park cost of plugging the security gaps.
Such an exercise will not reduce the threat however; that requires training. The phishing threat is only really diminished when all users are regularly trained on how to spot phishing emails. Note that it is vital that everyone is trained, and that they trained regularly. This is because any member of staff can constitute the weak link that the attackers exploit; and the old and tempting habits of replying to emails, opening attachments and so on, die hard.
IT security, therefore, is not just an IT problem, it is everyone’s. This includes functions such as HR and internal communications. Training the staff, preparing them for real world phishing attacks and equipping them with the knowledge to identify malicious emails is important for, and valuable to, every employee.
The longer term benefits of running phishing campaigns are likewise plentiful: only phishing assessments can gain metrics on how security aware the organisation actually is; these exercises result in faster, more resilient and more refined incident responses; and they mean that real world attacks will be reported more promptly and more consistently.
As local councils struggle to protect more and more data from increasingly sophisticated attacks, phishing assessments represent an exercise that can unite all council staff with an up-to-date knowledge of – and a renewed determination not to fall for – phishing attacks.