During the cyber security discovery last year, we identified five areas of opportunity for MHCLG to support councils in improving their cyber health. One of these areas was technical remediation: providing support to councils identified through the survey on mitigating malware and ransomware.
In November, a Cyber Support team was formed within the Local Digital Collaboration Unit to work with councils to reduce their cyber risk. The team is providing immediate support and guidance in order to increase councils' resilience against malware and ransomware attacks.
The Cyber Support team’s work is running alongside the Cyber Health project, which is looking to provide clarity on what good organisational cyber health looks like.
What we’ve done so far
The team began by reviewing the results of the Mitigating Malware and Ransomware survey that was sent to councils in February of last year, and was completed by 237 councils. We encourage any councils who have yet to do so to complete the online survey.
We identified 7 key areas that will provide the highest impact in reducing the threat from ransomware attacks:
- Backups - analysing the council’s backup service configuration, including existing backup architecture, controls, isolation, offline/recovery and validation of recovery.
- Use of Multi Factor authentication (MFA) relating to Cloud / Software as a Service (SaaS) administration and access mechanism protection.
- IT health check - ensuring Principal Security Concerns and resulting activity is reflective of the current threat landscape.
- NCSC ACD - onboarding and utilisation of the National Cyber Security Centre (NCSC) Active Cyber Defence (ACD) services.
- Operating Systems - identifying legacy unsupported operating systems, vulnerability visibility within IT estate, containment options and hardening.
- Active Directory - privileged user account assessment and active directory architecture.
- Logging - logging capability, coverage, compromise indicators and enhancement opportunities.
Each of the seven focus areas are broken down into multiple topics for targeted analysis and review. For example, Logging consists of the following topics:
- Centralised Logging
- Captured data
- Retention periods
- Alerting and triage
Each topic is being reviewed as part of one or more collaborative workshops with the council to identify what capability is currently in place, potential cyber enhancements, and support requirements.
Our findings so far
We were pleased to find that councils have continued to make improvements following the collaborative cyber workshops. Following delivery of the MHCLG Cyber Report and Cyber Treatment Plan across all councils, there is a recognition of the importance of cyber security and a commitment to improving cyber health.
We have started analysing the information gathered as part of the workshops and ongoing cyber support sessions. Some initial findings are highlighted below and we will publish further updates as we continue to work through the data:
- Although all councils performed an IT Health Check in 2020 with comprehensive corrective action plans in place, we identified that all councils required cyber enhancement across the focus areas assessed. This highlights the need for continuous development of IT Health Check scopes to ensure they maintain pace with emerging cyber threats.
- Logging is a common area that requires attention. While logging is in place for the majority, a centralised strategic logging solution with automated event analysis is typically not in place. Without this capability, council IT teams expend a large amount of effort triaging log events.
- Uptake of NCSC Active Cyber Defence services is very high across all councils, with 100% take-up of WebCheck, Exercise in a Box (EiaB) and Early Warning, and MailCheck take-up at just under 90%.
What happens next
We’re working with the selected councils to agree a roadmap for improving their cyber health. This will increase councils’ resilience against ransomware attacks and help cyber professionals within local authorities to communicate with senior leaders about issues.
We will also be providing those councils with support to fix any issues, as well as continuing to analyse and identify commonalities from our workshops and support sessions. This will assist us in developing reusable tools and actionable targeted guidance, all of which we will make more widely available.
Have your say
We welcome further collaboration and input from those working in and around local government cyber security, so please email us if you have any strong evidence to support our research.
We also welcome feedback on our cyber support service. By completing this short survey, you will be helping us to shape future workshops and the support we provide to other councils.
If you have not done so already, please complete the Mitigating Malware and Ransomware survey to help us understand the mitigations your council has in place to reduce the risk and impact of malware and ransomware attacks.
Follow our progress
We are working in the open and holding regular show and tells to share our findings and knowledge, as well as progress updates and ongoing activities. If you are working in a national or local government agency and would like to join us, the next one is taking place on 26 March, 11:30am - 12:00pm.
There are a number of other ways you can stay in touch with our work: