Cyber attacks on UK councils’ remote workers more than tripled during the pandemic, according to a series of Freedom of Information (FOI) requests.
The requests made by technology specialist Insight found attacks rose by an average of 213% from March 2020 compared to the 12 months before. This might not seem surprising, as on average councils switched 74% of their employees – more than double the UK average, and representing more than 1.4 million workers across the UK – to remote working during the pandemic.
Insight says this presents a real challenge for councils, especially within essential services like health and social care, that have had to adapt to remote working during the pandemic, all while under significant budget pressures. Just 20% made additional investments in security, investing an average of £46,000 – in all cases taken from the wider IT budget.
As a result, investments in security came at the expense of other IT services. With increased remote working set to continue in 98% of councils, attacks targeting employees at home will only continue to increase, and investing in security needs to become a priority.
“The fact that councils could move their employees to remote working without disrupting services needs to be recognised for the major achievement it was,” said Darren Hedley, Managing Director, UK & Ireland at Insight. “However, councils now need to build on this success: putting in place and strengthening defences to protect remote workers and eliminate gaps in security that could allow attackers to threaten essential services. It’s likely that many councils cannot do this alone. They need support and resources from central Government, or else we will see more and more employees and councils falling victim to attackers.”
There are significant questions around how prepared councils are for long-term remote working. Less than half (47%) of councils invested more of their security budget in increased security training for remote workers, even though such training will be essential for an expanded remote or hybrid workforce. At the same time, only 6% prevented any employees from working remotely because it wasn’t possible to guarantee secure access to data. This is understandable given the need to switch to remote working, but only 50% of councils invested more in security posture assessments to understand any impacts from the move to remote working and identify any gaps in security. As a result, many may have enabled remote working without fully understanding the risks to employees and the organisation.
“Clearly the priority in 2020 was enabling remote working, but more than a year into the pandemic it’s worrying that many councils still haven’t been able to assess their security posture,” said Charlotte Davis, Cyber Security Practice Lead, Insight. “These assessments need cover the entire threat landscape, including third party risks, and honestly analyse gaps in the organisation’s security posture. Once this is in place, councils can take the appropriate action to repair any gaps, from investing in technology, to building security awareness and putting frameworks in place so employees can follow best practice. Doing this will demand time and resources, so it’s essential that councils are given the support they need.”