Managing cyber security maturity and business risk within local government

As public councils embark on and continue their digital transformation journey, there is a growing need to counter the risk of a breach by taking the maturity of cyber security practices from a state of reactive, to proactive, and even to predictive.

Healthy cyber security is key to the efficient and productive running of every council; a cyber security incident in a council can be very disruptive, leading to the loss of data and the availability of services to the public.

Councils have a growing need to maintain public trust by limiting the likelihood of a cyber attack. The impacts of a breach can have far-reaching effects that range from service delivery issues to financial loss, non-compliance to reputational damage, and even work health and safety for both council staff and the public.

The rising cost of a data breach

In my recent blog on key cyber security trends, I referenced a recent study that showed that the average cost of a data breach has now reached over $4 million. This hit a record high during the pandemic for all industries including local government.

Last year, local councils reported over 700 data breaches to the Information Commissioner’s Office (ICO) – which equates to almost two per day.

With the increased digital transformation of councils and the requirement of integration and the need for interconnection, the potential for breaches is only set to rise.

Whilst there is no longer a minimum requirement for providing digital services at a local government level, the reality is that most council leaders recognise the need to invest in emerging technologies as part of a smarter cities program of work that involves the adoption of the Internet of Things (IoT), artificial intelligence and machine learning.

These come with their own considerations in managing risk.

The importance of stakeholder engagement in managing risk

Whilst threats cannot be eliminated, the risks can be greatly reduced – which leads to increased confidence in the huge benefits that digital technology brings to the public sector.

For councils at the beginning of their digital transformation journey, the starting point for any cyber security program is in the boardroom, with the need for stakeholder awareness.

Security awareness for stakeholders is the initial building block for embedding cyber security in a council and developing a positive cyber culture throughout the organisation. As quoted by the UK’s National Cyber Security Centre (NCSC) which is part of the Government Communications Headquarters (GCHQ), cyber security is not just about ‘good IT’, it must enable an organisation’s digital activity to flourish. This is where cyber security can be an enabler on a council’s journey to maximise value for money to ratepayers.

It is important for stakeholders to get the information they need to make well informed decisions about the risks that they face. To do this, it is important to understand the current cyber security baseline within the organisation, including what is important to the council and the information that needs to be protected. This means looking at the organisation through an adversarial lens: what is it that may interest an attacker and who might target the organisation and why.

Laying the foundations for stakeholder engagement

As an initial assessment, councils should look to evaluate themselves against the most practical security requirements and controls that will benefit the organisation. The assessment should also involve identifying current vulnerabilities which can provide concrete evidence that gaps exist.

For those driving a security program, in order to articulate the current cyber maturity levels effectively to stakeholders, the key is to translate it into business risk – which, in turn, will enable the organisation to make well informed decisions.

As security programs intend to take stakeholders on a journey, it is important to articulate the progress of cyber security maturity within the organisation and how business risk is being optimised.

Cyber maturity management, reimagined

The use of tools such as ITC’s NAVIGATOR (a cloud-based, intuitive, interactive and continuous digital reporting capability) can assist those running security programs to measure and monitor maturity over time – including tracking progress against remediation actions with a set of security metrics that can be communicated to stakeholders.

It is important that security programs use tools that are simple, intuitive, and easy to use, that do not add overhead and help to streamline governance, risk, and compliance processes. ITC’s NAVIGATOR does just that – enabling organisations to achieve and maintain cyber resilience, compliance and reduce audit overheads.

Being able to visualise the maturity of cyber security within an organisation can help to pinpoint issues more easily and assist the communication of cyber security posture and ultimately business risk to stakeholders.