uch has been said about smaller municipalities and their lack of resources and qualified cybersecurity staff but little about what to do about the problem of helping smaller municipalities. In the UK the Government, as part of the “National Cyber Security Strategy (2016-2021), awarded the LGA funding from the Cabinet Office to make certain that along with others in the public sector local councils are “as resilient against cyber-attacks as possible”. The purpose of the programme is to support councils, either by themselves or in partnership, to strengthen their “cyber” resilience where weaknesses have been highlighted in the recent Cyber Security Stocktake”. Threats obviously can not be eliminated completely, but the risk can be contained to allow for a continuity of services offered by local councils.
The first stage of the programme consisted of a “Stocktake” (more will be said about that in another blog) of the cyber security arrangements” in the summer of 2019 of councils in England. All councils in England were part of the programme and were expected to use the assessment from the Stocktake to help them bid for funding. This phase is now closed. Priority was given to those councils that had urgent issues identified by the Stocktake and needed to be addressed.
During Phase 1 the types of bids supported were typically:
Employee awareness and training
Funding consulting and advice activities to improve cyber security arrangements to gain compliance under certain standards (for example, IS0270001)
Technical training courses for IT employees
Funding for running phishing exercises
Phase 2, it seems, recently closed. In part, the second phase was dedicated to fixing those issues identified in the Stocktake from phase 1 and had not yet been fixed. They also focused on individual or joint bids between councils and partners to consolidate the work across the local government sector by joining up activities and resources and, in doing this, developing cyber resilience in the sector and building general capacity in the sector.
Most interesting during Phase 2 was the call for individual or joint bids between councils or partners to “pilot/explore/develop a proof of concept” which could be shared with all English local authorities. Examples of projects that could be submitted include:
Training and Awareness: The LGA cited those that explore sustainable solutions for staff training and awareness.
Developing technical training programmes for IT staff (including , for example, PEN testing, simulation exercises, etc.)
Developing a “sector led approach to disaster recovery and incident response and, most importantly, a model of peer support to deal with incidents.
Developing recommendations on “effective governance around cyber resilience”.
All of these projects would typically beyond the capacity of many municipalities but with the help of a funding programme like the one run by the LGA with its focus on collaborative projects much more could be done in other countries across Europe.
Cesviter Consulting Team
n.b. For other information on LGA and its activities, go to https://local.gov.uk