Skip to main content

This blog post was published under the 2015-2024 Conservative Administration

The cyber security pre-discovery: what we’ve learned and what happens now

Posted by: , Posted on: - Categories: Cyber, Local Digital, Local Digital Team

The Local Digital Collaboration Unit have published their findings from a 40-day pre-discovery into cyber security in local authorities.

The team set out to form a picture of the current cyber security threats, challenges and capabilities that exist at a local government level. We wanted to understand how central government can reduce cyber risk in support of, and collaboration with, local authorities. You can read more about our goals and expectations for the pre-discovery in an earlier blog post.

This work has enabled us to identify a range of opportunities to increase cyber health in local authorities, which will be prioritised and explored. 

Additionally, from a survey derived from NCSC’s tips for mitigating malware and ransomware, we identified some local authorities that have technology configured in a manner that reduces their ability to recover from a breach or attack. As a result, these local authorities have been offered support. If your council has not yet completed the survey, please get in touch with the team.

What we did

During this pre-discovery we:

  • conducted desk research into local government cyber security and absorbed previous reports, findings and policy
  • performed stakeholder interviews with people from 10 external organisations
  • performed user research interviews with IT professionals from 5 local authorities
  • analysed and compiled results from a survey of local authorities on technical practices
  • analysed research results 
  • generated a series of hypotheses

This pre-discovery was vital in order to rapidly understand the landscape and gather evidence from councils and stakeholders. As we move into the next phase we will validate our findings and focus on the elements that will have the greatest impact on cyber health and resilience.

Possible threats and vulnerabilities at a local authority

Forming recommendations

We looked specifically at three phases of cyber incident management: protecting against an attack, responding to an incident, and recovering from an incident. 

By exploring the services that already exist in these phases, supported by user research and analysis of the ransomware survey, we were able to generate over 60 hypotheses. We then grouped them into nine wider hypotheses that were presented to key stakeholders during a workshop.

As a result, we have prioritised three key themes that will form the basis for further work:

  1. ‘Secure by design’: If local authorities build and maintain services with cyber security principles in mind, they are less vulnerable to cyber attacks. We will look to understand cyber risk across end-to-end services (such as reporting a missed bin collection and holding citizen data) to identify where we can help local authorities ensure they are creating a secure end-to-end service.
  2. ‘Standards and technical guidance’: Cyber security risk would decrease at local authorities if they subscribed to clear standards, expectations and goals. We will look to understand what standards and guidance currently exists, the gaps, and what some local authorities are struggling to adhere to.
  3. ‘Ownership, responsibility, accountability’: Cyber security risk would be reduced if the behaviours, ownership and responsibility for cyber health at local authorities were improved. We will look to understand the current behaviours and ownership around cyber security within local authorities and understand how (and if) these behavioural changes could impact on an organisation’s cyber health.

Gaps and limitations

There are several things we feel may have enhanced our research. 

Given time and scope, we would have liked to:

  • gain a greater understanding of current cyber security standards, including technical, assurance and governance
  • gain a greater understanding of the context behind the quantitative ransomware survey responses
  • gain a greater understanding of private sector service provision, tools and training

This work was conducted during the lockdown imposed as a result of the coronavirus (COVID-19) pandemic, meaning all research and interviews were conducted remotely. We would like to take this opportunity to thank everyone who took the time to speak to us on matters that may not have been considered the first priority for councils during that time.

Read the full report

The full report is now available to view on the Local Digital website. If you have any questions about the report or our findings, please email

Take part in the next stage of our work

MHCLG’S Local Digital Collaboration Unit are currently conducting research into how to effectively increase cyber resilience and security within local authorities. Your input will help us shape the right support for the right people.

If you are working within a local authority and have responsibility for cyber resilience, and would like to participate in our work, please complete this short form.

Your participation will involve 2-3 one hour sessions over the next 10 weeks (25th May - 24th July), at a time that’s convenient to you. Each one hour session will be held remotely via a video conferencing tool.

Sharing and comments

Share this page