Cyber attacks have resulted in data breaches and losses at three Scottish councils, according to a new report that reveals the extraordinary scale of security threats faced by local authorities.
An investigation by Big Brother Watch – a civil liberties organisation – reveals that UK councils suffered more than 98 million cyber attacks in the past five years – equating to 37 cyber attacks every minute.
Edinburgh came fourth in the UK for the number of cyber security incidents.
Big Brother Watch also found that while councils are accumulating troves of sensitive and personal information about citizens, there has been an “overwhelming failure” to report losses and breaches of data.
The group also identified shortcomings in staff training.
The investigation, based on freedom of information requests, reveals that 25 councils experienced a loss or breach of data but more than half of these went unreported.
Scottish councils who suffered cyber security incidents resulting in data breaches and losses were Shetland with two, and both Dundee City and City of Edinburgh with one each.
City of Edinburgh had 11 cyber security incidents in total. The highest number recorded in the UK was Tonbridge and Malling with 62.
Although human error is the main factor for a hack to be successful, the report said that three in four local authorities do not provide mandatory cyber security training to staff.
Some councils in Scotland could not even say how many people had been provided with such training.
They included Aberdeenshire, Argyll and Bute, East Lothian, East Renfrewshire, Moray, Perth and Kinross, North Lanarkshire and Scottish Borders, who all said “information not held” for the report.
Highland Council revealed that none of its staff had been trained in cyber security awareness. Furthermore, several councils told Big Brother that “no specific budget” had been allocated for cyber security.
They were East Ayrshire, East Lothian, City of Edinburgh, Fife, Highland, Inverclyde, Midlothian, Orkney and South Ayrshire.
Big Brother Watch said its findings, covering the period 2013 to 2017 inclusive, raise concerns about the ability and commitment of local authorities to fend off cyber attacks.
Local authorities need to take urgent action and make sure they fulfil their responsibilities to protect citizens. Jennifer Krueckeberg, Big Brother Watch
Jennifer Krueckeberg, lead researcher at Big Brother Watch said: “With councils hit by over 19 million cyber attacks every year, one would assume that they would be doing their utmost to protect citizens’ sensitive information.
“We are shocked to discover that the majority of councils’ data breaches go unreported and that staff often lack basic training in cyber security.
“Local authorities need to take urgent action and make sure they fulfil their responsibilities to protect citizens.”
Other key findings of the report were that 297 authorities (75 per cent) do not provide mandatory training in cyber security while 62 (16 per cent) councils do not provide any cyber security training at all.
Big Brother Watch said that local authorities must “appropriately prioritise cyber security”.
The report added: “Instead of investing in surveillance technologies, councils should invest resources on the development of cyber security strategies and the training of staff. “
Other recommendations were that all staff should receive mandatory training in cyber security and all cyber security incidents should be consistently reported.
“Local authorities need to establish a simple protocol that allows them to report incidents to the right authorities, whether the police, Information Commissioner’s Office or the National Cyber Security Centre,” the report said.
It added: “This would ensure that threats are dealt with appropriately and that authorities’ propensity to attacks is monitored. Furthermore, local authorities should utilise the National Cyber Security Centre’s definitions of cyber attacks and cyber security incidents to ensure consistent reporting.”
Pat Walshe, Director of data protection at Privacy Matters, said: “The Big Brother Watch report reveals inconsistent approaches to safeguarding personal and sensitive data held by local authorities.
“It highlights the pressures faced by local authorities in a world of diminishing resources but increasing demands. It will be important that local authorities receive appropriate support moving forward.”
In reply, finance and resources convener at the City of Edinburgh Council, Councillor Alasdair Rankin, said: “The ongoing security of the council’s network and systems is critically important. We are extremely vigilant and regularly review and enhance our security measures to ensure the safety of the data we process.
“We provide clear guidance to our staff and there is an information security awareness campaign underway. Our IT staff also work with our technology providers to ensure that any risks associated with cyber attacks are dealt with swiftly and robustly.”
A Dundee City Council spokesperson said: “We fully recognise how important our cyber security is and we are doing everything we can to safeguard the council against attacks.“
Shetland Islands Council was asked for a comment but had not provided one at time of publication.
A ‘cyber attack’ is defined by the UK’s National Cyber Security Centre as ‘a malicious attempt to damage, disrupt or gain unauthorised access to computer systems, networks or devices, via cyber means.
A ‘cyber security incident’ is defined as ‘a breach of a system’s security policy in order to affect its integrity or availability or the unauthorised access or attempted access to a system’.