On Friday 12 May at about 3.45pm, news broke of a large scale cyberattack on the NHS, and my council had to act fast. By 3.54pm we were activating our emergency plan, testing our network and assessing what actions we had to take to protect our systems. Seven minutes later, we closed our connection to the NHS network, disabled internal staff access to our website and began a series of communications.
Staff worked into the evening and Saturday morning to monitor the impact, carry out tests and brief key people. We were ready to act, and had a plan. That did not happen by chance. It reflects the anxiety we have about cybersecurity.
We recognised cybercrime was emerging as one of the top risks for our organisation, so last summer, despite so many other competing priorities and demands, we began to develop a dedicated cybersecurity plan.
We identified a lead champion for cybersecurity, a talented and enthusiastic officer who was given a clear mandate from our senior team to promote awareness, ask difficult questions and highlight parts of the organisation most at risk in terms of culture and practice. She commissioned external tests of our resilience to cyberattack, presented an analysis to our leadership team, assessed the effectiveness of our application of patches to respond to system issues, trained our staff, and developed an emergency response plan. This process highlighted the scale of the issue, making it clear that within the previous nine months we had experienced 289,000 viral attacks to our systems.
Most importantly, we tested our resilience to assess how the workforce would respond to a cyber threat. Our ICT team sent a dummy message to 1,500 staff, involving various stages including finally asking staff to enter login and password details. The results were sobering. We had the expected surge in calls to the helpdesk, and many spotted clues raising doubts on authenticity, but many didn’t, with 17% of staff going through stages which would have enabled a ransomware attack to succeed.
This shows us there is more we need to do. If you haven’t done something similar, I would strongly recommend it. Assessing your organisation’s current risk, in terms of people and systems, is the first thing I would undertake. Second, develop a response plan, and be prepared to test it. Any investment is difficult in the present financial environment, ut this should be set against the huge financial costs and the cost to your organisation’s reputation in the event of system failure. And of course, cybersecurity should be built into contractual arrangements with all suppliers.
Despite all the concerted efforts to tackle cyberattack, we never think it can’t happen here. It’s similar to protecting a house from burglary. We can lock the doors and windows, get CCTV, and invest in ever more sophisticated systems, but the combination of human fallibility and a determined assailant can break through this.
The local government sector needs persistence and determination to tackle cybercrime, as I know well from my role as deputy spokesperson for civil resilience and community safety for the Society of Local Authority Chief Executives and Senior Managers.
Councils’ relationship with technology will be a defining element of public services in the future, and threats to our systems ever present. We need to be as ready as possible.
Robin Tuddenham is director of communities and service support at Calderdale council and deputy spokesperson for civil resilience and community safety, Society of Local Government Chief Executives (Solace).
Sign up for your free Guardian Public Leaders newsletter with comment and sector views sent direct to you every Thursday. Follow us: @Guardianpublic
