Managing cybersecurity in local government
Local government is a paradox in many, many ways. Local councils are responsible for delivering critical services to their residents, from social care and education, to managing public health in times of crisis.
But they are also chronically underfunded, often ignored by central government, and are probably not the first option for ambitious young techies.
Still, their importance is recognised by one group. Ransomware gangs and other cybercriminals are paying plenty of attention to local government. In 2022, UK councils were hit by 2.3 million cyber attacks by August alone.
So how do tech leaders in the sector square this increasingly vicious circle?
Murat Dilek is Enterprise network and cybersecurity team leader for Falkirk Council in Scotland.
As he explains, “anything from an infrastructure perspective, I’m responsible.”
In the case of Falkirk, that means the council’s corporate estate as well as education. The latter spans 55 primary schools, nine high schools, and 50 office locations. Hardware wise, that means 600 servers and 9000 other devices, ie, laptops and desktops. The council has around 7000 employees in total.
In 2019, it moved to a zero trust implementation and SD-WAN which coincided with relocating its datacenter and a shift from a traditional hub and spoke network.
That meant workers within its “corporate” estate – amounting to 4,000 laptops – could work from anywhere. But that presents other challenges in terms of patching and remediation.
“Late 2022 I did recognise that we were jumping from one tool to another to another trying to get information and do the remediation,” Dilek says.
This is something that has become more pressing as local government has been increasingly been fingered as an easy target for ransomware gangs.
Fakirk Council had staffers – like him – who wore multiple hats and handled specific cybersecurity tasks, such as firewalls, but “There was no day to day manager.”
As the ransomware threat became more apparent, he explains, “That generated so much noise within the chief executive level, senior management level.”
The result was signoff “to create a SOC team…and recruit a cybersecurity engineer”.
But the cybersecurity skills shortage meant this was virtually impossible. So, Dilek grabbed another hat himself taking on part of that role, while looking for people he could train up into cybersec over time.
This made it even more important to find ways, in the event of a breach or when managing cyber, “to make things easier for me.”
“If I get a support engineer post,” he explains, “I might get traction, lots of interest. And then I can bring them on board, and then teach them cybersecurity skills.” But training them on multiple tools would require more time and investment.
The upcoming renewal of one of the council’s existing tools gave a chance to change things. This was given more impetus by the requirement to submit an annual IT health check to the Cabinet Office’s Code of Connection Certification. “It’s crucial for us to maintain this…if you don’t have this you basically lose your .gov status.”
The certification process includes identifying risks and vulnerabilities and developing a remediation plan. But, he added, patching was “a constant battle for us.”
He opted for Qualys, and created a PSN Code of Connection dashboard, which produced live data which would be acted on where necessary.
“Not every remediation involves a patch,” Dilek says. But when it does, the ability to update 1000s of machines remotely, over a weekend, makes a massive difference. Even more so, when you consider the logistics of updating devices in schools, which must be done without disrupting classes, meaning school holidays, or weekends.
In the case of a Microsoft patch for schools-based machines, Dilek and his team developed a Powershell script to update 1500 devices over the Easter break. “If you promote work anytime, anywhere, we should be able to patch anytime, anywhere.”
But while technology can make managing patches easier, it can only go far in helping cash-strapped councils attract personnel.
As Dilek points out, a private organization of a similar scale would have a cybersecurity manager, as well as having individuals covering other roles, such as risk manager. That wasn’t an option for Falkirk.
“I created two new posts, with lower grade salaries, and attracted people with the skill set of understanding computer systems and who’d worked in a support environment. And they’re keen to learn new skills.” The strategy was to get them on board, offer them college level training in cybersecurity, backed with funding from the Scottish Government, and coaching.
The team’s current SOC analyst joined the council as a “modern apprentice” during COVID. “Then there was a low grade position available within the organisation. So we offered him a job. We advertised, and his CV was better than anyone else. And he knew the infrastructure.”
The council has other modern apprentices in IT roles. Another apprentice, for which the council didn’t have an open role, now works at an international company in Glasgow, he said.
“So, we are very good with our Gen Z,” he says. That’s despite tech in general, and cybersecurity not being seen as a cool job for youngsters, compared to, say, being an influencer.
And if some unkind commentators might question Gen Z’s resilience in general, and desire to work in tech specifically, Dilek says. “You need to put yourself in their shoes and wind your clock back [insert chosen number of decades. We often forget what we were like then.”