Why cyber resilience really matters to local authorities

As Cyber Resilience Week (which runs until 15 September) continues to draw attention to the need for effective cybersecurity management, councils are being urged to consider how effective cybersecurity can save taxpayers money.

“Local authorities should consider that cyber resilience can also be seen as protecting tax-payer money, along with many other reasons, of course,” says Simon Merrick, managing digital transformation consultant at Agilisys. “The £70K fines handed out by the ICO to two authorities recently mean that, in effect, £70K of council revenue is now out of the window going into the hands of the ICO’s sponsor department, the Department for Culture Media and Sport, which ultimately then goes into the UK Treasury Consolidated Fund.

“Councils must make up that £70K and absorb the costs of the breach, which may include damage compensation to subjects. They will also look to invest further to reduce the risk of the breach re-occurring. Surely, it’s better to take a long-term, risk based, investment view now to account/budget for that fact that a breach, malicious or accidental, is going to happen?”


Supplier resilience

Simon goes on to add that cyber resilience of any organisation is also strengthened or weakened by the cyber resilience of its suppliers.

“Most Councils will have CyberEssentials certification themselves and the government mandated from Oct 2014, that any suppliers bidding for public authority work must also have this certification. But the scheme should be looked at by all organisations, private and public as a badge of achieving basic, but fundamental security measures.

“CyberEssentials and Cyber Essential Plus certification needs to be completed annually, so it ensures organisations are doing the basics such as patching, and identifies key external vulnerabilities.”


Effective leadership

With ever changing technology and evolving threats, another key element that Simon mentions is that effective leadership must be in place.

“Having a Chief Information Security Officer (CISO) is crucial in my opinion to ensuring that an authority is spending its budget wisely on the right layers of risk mitigation, whether technical or organisational. Such a role can be shared between authorities too, or they could consider taking advantage of a virtual CISO service, which removes the hassle of finding and keeping this experienced and often expensive resource.”



The final aspect of cybersecurity that Simon mentions is the much talked about GDPR implementation. Simon, along with Alan Calder, CEO of IT Governance, recently hosted a trio of GDPR-related webinars that can be found here.

“Strong and well maintained cybersecurity means less likelihood of a malicious or accidental data breach, so cyber resilience ties in with GDPR,” explains Simon. “One leads to the other.”

Related reading