An increasing risk of a cyber attack is facing Bristol City Council due to delayed critical IT updates. Millions will soon be spent on updating many IT systems the council uses, but some updates will only come after current systems stop being protected from viruses.
A crucial gap lies in between when current software — used for work like managing repair jobs in council flats — reaches the end of its life, and when the new software is rolled out. End-of-life software is a key target for cyber attacks, as new security patches are no longer created.
Once the software is eventually rolled out, due by May next year, City Hall chiefs hope council services will become easier to use for tenants, staff and contractors. Currently some software is reportedly fiddly, difficult to use and often needs 'time-consuming workarounds'.
Read more: Battle to save Kingswood playing field trees that overshadow neighbour's garden
Last week the cabinet signed off plans to spend £7.5 million, choosing a preferred IT contractor to roll out new systems in the authority’s housing department. This could result in a new app for tenants to use, and many processes like reporting issues becoming more automated. But concerns about delays to the roll out were raised at a cabinet meeting.
Labour Councillor Tom Renhard, cabinet member for housing, said: “We have very old systems in IT across our housing and landlord services. They have been in dire need of an update for a long time — whether it’s our asset management tools, the systems with which customers report repair issues, the systems which allocate repair jobs, or tracking inventory.
“There’s still a long way to go. We know that implementing a new IT system can be very challenging and is not without its risks. But it will mean a much improved service for residents, much improved functionality for our staff as well, and more broadly it amalgamates a lot of systems into one provider.”
Software companies often provide maintenance patches to fix newly found security issues, to prevent hackers from exploiting any vulnerabilities and launching a cyber attack. Patches respond to emerging technology and hacker methods. But after a while, companies stop supporting old software with patches and bug fixes, and the software reaches end of life.
Spelling out the risk facing Bristol City Council, a cabinet report said: “We are clear that the main drivers for the programme are the age, inbuilt redundancy and cost of the current housing systems. They do not support current business processes as well as they could, so bring with them inherent issues around data and security vulnerabilities.
“Current housing IT systems will be fully or partially out of manufacturer support in 2024. This means that as well as a lack of manufacturer support, they present security vulnerabilities and their ongoing use is not permitted by UK government organisations.
“Some component parts of older systems have already reached this point and their continued use is only permissible while a suitable alternative is found. The first major system will reach end of life in December 2023. This is critical to the delivery of repairs and maintenance services.”
Council bosses were questioned on this gap between when the old software stops being protected and when the new software comes online, during the meeting. Green Cllr David Wilcox claimed council tenants could potentially face a loss of critical services.
He said: “Services are said to be at end of life and out of support before you’re planning to bring the new service online. I’m concerned that there might be a loss of service for our residents, and I don’t want to see that. Do you know of any IT project that has been delivered on time and to budget?”
Cllr Renhard replied: “All current housing systems will continue to be supported until the new platform is live. Some will stop being supported by the suppliers, others won’t be. In some cases what we’re doing is extending by a year, which means we’ll have the extended system overlapping with the new systems coming online.
“But I can’t say IT is my forte. The cynic in me reckons that we may well overrun, and that’s why we have got contingencies in place. The implementation of this is, sort of, May onwards in 2024, so obviously the new committee system will keep it on track once it’s in.”
The new IT updates are expected to save the council millions in automating many processes. For example, the council currently processes thousands of paper invoices from contractors each year, costing £25 for each invoice — even though the technology is readily available for processing them digitally and much more cheaply.
Last month, Royal Mail was hit by a high-profile ransomware attack, temporarily preventing the postal service from sending parcels or letters abroad. In December last year, the Guardian was also hit by a ransomware attack, with personal data of the newspaper’s UK staff accessed. And in December 2021, hackers attacked Gloucester City Council.
Read more:
Man blasts e-scooter rider for dangerous parking on 'savage' road
UK weather: When 'Beast from the East' could hit UK amid -7 freeze
Sad state of Banksy's Bristol 'Valentine' mural pictured three years on
