New data has revealed 15,964 cyber attacks were made against Hertfordshire County Council between January and March of this year, averaging at a rate of 181 per day. The data is included in a report due to be presented to a meeting of the council’s resources and performance cabinet panel tomorrow (9th June).
The report stated that all of the attacks on the council systems were “successfully repelled” within those three months, while adding that “email phishing attempts continue to be the highest threat.” Commenting on the report, Javvad Malik, Security Awareness Advocate at KnowBe4 says: “It’s good for councils to be transparent in the number of cyber attacks they have been facing. Although the 16,000 number probably includes low risk items such as automated scans of the network, which may not be attacks in themselves.”
The fact that local councils in the UK have, and continue to face a deluge of cyber attacks is well known to the cyber security industry and to government agencies such as the National Cyber Security Centre (NCSC). Aside from receiving millions of spear-phishing emails, local councils also have to defend against cyber threats such as ransomware attacks and malware intrusions that, if successful, cause immense financial losses.
For example, a ransomware attack targeting the Redcar and Cleveland Borough Council’s IT systems in February 2020 inflicted a financial loss of £10.14 million to the Council, forcing it to seek additional budgetary support from the government. The Council said that prior to the cyber attack, it had “industry-standard tools deployed to secure its network” that were configured to provide optimum protection as per the standards set out by the Public Services Network (PSN). However, these measures proved inadequate in preventing the cyber attack.
Tom Davison, Technical Director International at Lookout suggests: “To stay resilient, organisations need to focus on continuous monitoring for attacks, placing security at the new perimeter of remote devices and cloud repositories, and training their users in phishing awareness. Phishing attacks target individual users, therefore a single campaign may result in hundreds or even thousands of individual attacks being directed at an organisation. It only takes one of these attempts to be successful in order for the intended target to become compromised,”
Malik adds: “What is interesting about the (Hertfordshire) report is that the council states phishing attempts continue to be the highest threat. This is consistent with what is being reported in all verticals across all sizes of organisations. So investing in a robust layered protection against phishing emails should be a priority. This includes technical controls, procedures, and providing the right security awareness and training to staff.”