Dealing with the threat of cyber-attacks (Guest post)

Recent research revealed that only 35% of local authority leaders think their staff are well equipped to deal with cyber threats. Simon Merrick, principal digital transformation consultant at, discusses how councils can protect themselves from attacks and deal with the situation should they become the latest in a long line of victims.


What should councils be doing to protect themselves from cyber-attacks?

Council’s need to make it hard and uninviting for cyber-attackers, both inside and external to the organisation. If there is an attack and personal data is lost, the potential fines for breaching regulations are significant. These become even more severe from next year when GDPR comes into force. Councils should ensure that cyber-security is registered as a corporate risk item and it should be discussed at the most senior level.

Leadership, like the establishment of a Chief Information Security Officer (CISO), is crucial to establishing and then maintaining an appropriate level of protection. Organisations can spend significant sums on cyber-security, so it is important to understand where risk resides and what risks can be effectively mitigated.

As a minimum, protective measures should include regular and coordinated vulnerability and penetration testing and organisations should be ensuring software is regularly patched to remove identified security holes that can otherwise be easily exploited. Depending on the risk, threat intelligence services may also be useful in helping to identify potential threats to an organisation. Simulations, such as phishing attacks and ransomware attack rehearsals can be effective in both training and keeping security front and centre of everyone’s mind.


If an attack does get through defences, what plans can councils put in place to minimise damage?

Attacks are going to happen, no matter how much protection is in place. So, the question should be what do we do when an attack takes place and if our defences are breached. What is important here is to put in a tested and rehearsed response. Rehearsing and planning this response should include everyone who is involved with detection, mitigation and resolution. This means IT, and possibly relevant service providers, legal and marketing or PR. Establishing a cyber-incident response team can help draw together the right people and focus the organisation to quickly mitigate an attack.


How can councils ensure they have the skills (internally or from outside) required to deal with cyber threats?

This is all about looking at the risk and threat profile of an organisation. Organisations naturally think that cyber-security is all about the IT security skills, those blessed with the dark arts of cyber-security. The reality is that it is a mix of skills that will successfully steer the organisation through this particular business threat.

Council’s should first understand what is at risk, what is of value to the organisation, or to a hacker or disgruntled employee. A CISO can help provide both the technical and executive guidance to ensure that Council’s then bring in and maintain the right blend of skills, whether permanent or contracted.


How can councils select the right cyber security approach?

There is a great deal of guidance from government bodies such as the NCSC and the ICO. But, all will agree that a multi-layered approach is needed. That means looking at the technology protection, training, governance and working closely with service providers and third-party vendors to understand their security. Achievement of International or British standards, like ISO27001, can also establish the processes and procedures to underpin a sound cyber-security approach.


How do you overcome the mindset shift needed to ensure an effective, multi-layered cyber-security strategy works across multiple departments and operational domains?

Unfortunately, often it is not until a real attack happens that a temporary but effective mindset shift occurs across an organisation from the Board down. However, even with a real attack, old behaviours quickly resurface, unless there is a sustained and resourced effort to change attitudes.

Employing a CISO can help establish and direct a multi-layered strategy, but the CISO must have the necessary risk-based budget to deliver against this strategy. What the budget covers is very much a question of understanding the organisation’s risk profile and appetite.


To discuss your Cyber Security position and learn more about best practice in this space, email or visit

Related reading