Could local government be next in line for a cyber-attack?
Back in late 2016, Databarracks, the digital security company, issued freedom of information requests to all councils in London seeking information about the computing software in use across the city’s local authorities. The data showed that over 60% of London boroughs were using software more than a decade old, while some councils were still using Windows Server 2000. Software that is no longer updated is far easier to hack, the lack of up-to-date security patches is putting huge amounts of highly sensitive local government data at risk.
As council budgets are squeezed, many are struggling to cope with the most basic of services especially with social care and housing both on the point of crisis. Many councils simply cannot afford to restructure and update their IT infrastructure.
Local government must protect the vast amounts of data it holds and yet there are many restraining factors in making changes to IT systems within local authorities. Public sector organisations often purchase IT infrastructure with capital assets but just like a new vehicle, the software diminishes in value as soon as it is installed. Moving to a cloud based service could mitigate some of this risk but again, server overheads and contracts with external data centres cost further capital. Trade-offs inevitably take place, with capital expenditure on one hand and infrastructure updates on the other. For local authorities, the average life of a council term equates to four years. In the cycle of IT software, this is not a long time at all. Councils need greater forward thinking in the field of IT infrastructure if they are to mitigate the risk of security breaches.
The same situation can be seen in other public sector organisations.
According to Freedom of Information requests issued by security firm Citrix to NHS trusts across the country, 90% of those that responded admitted they are still using computers running Windows XP, an operating system which was first released in 2001. Similarly, the Metropolitan Police Service (MPS) said that 19,000 of its computers are running Windows XP, although this figure is down from 27,000 last August. Not only is this out of date software insecure and inefficient, the MPS is paying Microsoft an additional £1.65 million for extended support of software which is no longer universally supported or updated in the public domain.
In the aftermath of the cyber-attacks on the NHS network, it is clear local authorities, particularly those operating on outdated Windows platforms are at risk from a future cyber-attack targeting local public services.
IT infrastructure is just one of many seemingly innocuous issues local government faces which on the surface, when measured against rising adult social care costs for example, simply does not command their attention or the redirection of finance in quite the same way as frontline services do. Perhaps the cyber-attacks are the wakeup call the public sector needs. The lack of attention and funding given to cybersecurity is a worrying trend and once again highlights the increasing need for local councils to learn from their peers elsewhere in local government and to look beyond the sector to seek out effective partnerships to generate the cash revenue required to address the simplest of IT infrastructure.