COVID-19 has dominated risk discussions over the last 12 months but cyber remains a very real and potentially costly threat to public sector organisations. Alison Goodwin, Mark Brannigan, Naomi Cresswell and Oliver Jeffs, look at the risks and how organisations can protect themselves.
News of multi-million-pound fines for data breaches and large corporations facing hefty compensation claims can make it appear that cyber is a private sector problem. But, with some local authorities experiencing costs in excess of £10 million following an attack, it’s a risk that every organisation needs to take very seriously.
Cyber attacks are commonplace in the public sector. UK local authorities faced 263 million cyber attacks in 2019 – that’s the equivalent of 800 attacks every hour.
Under attack
Although the vast majority of these attacks were successfully defended, it’s not always the case. Last year, among those feeling the pain of a major attack were Hackney Council and Redcar and Cleveland Borough Council. For Hackney, it caused significant disruption to critical services, while Redcar had to deal with its online public services being taken down for a fortnight.
In addition to the disruption of services, a cyber attack can have serious financial implications for a local authority. The average cost of a successful attack on a local authority is £430,000, but the worst reported cases have cost in excess of £10.4m.
What’s more, these figures are likely to increase once additional costs such as potential fines and reputational damage are factored in. There’s also a risk of legal action, such as that being pursued against British Airways by customers seeking compensation for its 2018 data breach.
The implications can go far beyond the financial too. Last September, German police launched a homicide investigation when a patient died as a result of a cyber attack at Dusseldorf University Hospital.
Understanding the risk
Given the implications, understanding the risks and what is at stake is essential. As well as holding a large volume of personal data, most public sector organisations also provide critical services such as housing, healthcare and support to vulnerable groups. As holding these hostage presents lucrative opportunities to cyber criminals, safeguarding them is essential.
New risks are emerging too. As Smart Cities become a reality, the risk that a cyber criminal could hack into the systems and control anything from transport infrastructure to healthcare delivery highlights the importance of robust cyber security.
Understanding the quantum of these risks is a valuable exercise. This might include the cost of loss of service delivery, loss of public funds, and the cost of recovering them, and third party liabilities. Understanding the financial implications of a cyber attack makes it easier to prioritise investment in areas such as improving the security posture of the authority, and developing proportionate risk transfer strategies including insurance.
Cyber risk prevention
When it comes to reducing cyber risk, a robust and multi-pronged approach is key. This should include a number of different steps and involve stakeholders from across the organisation. Everyone associated with the authority should be aware of the role they play in creating a cyber resilient organisation.
Assessing IT infrastructure to ensure cyber security and controls are in place can keep the hackers out. The WannaCry attack in 2018 highlighted the importance of this, with many NHS computers frozen as they were running old operating systems which left them vulnerable to cyber attacks. This remains a key concern for many authorities today, and appropriate mitigation steps should be prioritised to reduce the likelihood and severity of an attack.
Another key component in cyber security are employees. Where they’re trained to recognise suspicious emails or online threats, it helps to create a strong cyber security culture where the risk of a successful attack is greatly reduced.
Supply chains should be examined. Although many services, including supporting IT, are outsourced, liability remains with the public sector organisation. An example of this was last year’s Blackbaud hack. In this, the hackers targeted Blackbaud’s fundraising software, stealing personal data belonging to the students, alumni and customers of organisations including universities and the National Trust.
Cyber incident ready
Taking these steps can reduce the likelihood of a cyber attack, however a mature risk management approach should also include regular incident response readiness exercises to ensure the organisation is well prepared.
If a successful cyber attack does take place, the faster and more effective the response, the better the outcome. Having experts on hand to identify what went wrong and what needs to be done can greatly minimise the damage.
Insurance can help too. As well as protecting an organisation’s balance sheet, many cyber policies also provide access to a panel of cyber professionals who can provide support with risk management but also manage any response if a successful cyber attack does take place. This team includes legal and forensics experts but also PR specialists who can help manage communications and the organisation’s reputation.
Another key benefit of having insurance in place is the focus it puts on risk management. Insurers will want an understanding of the organisation’s approach to cyber risk, which will often highlight potential issues that need to be addressed.
Expert advice and support
The nature – and potential implications – of cyber attacks mean professional advice is a critical part of many organisations’ strategies. An expert can highlight potential security issues and help build a robust approach to managing cyber risk.
There are plenty of sources for this support. A good starting point is the government’s National Cyber Security Centre. Its website (ncsc.gov.uk) contains information, advice and guidance to help understand and reduce cyber risk.
Aon can also help. With over 500 professionals globally dedicated to cyber risk, cyber security and cyber insurance, we are able to provide a comprehensive suite of cyber solutions.
Our Cyber Loop is an example of the type of support we can provide. This recognises that organisations have different needs and could start their cyber journey at any of four points – assessment, quantification, insurance or incident response readiness. By leveraging the cyber loop framework, organisations can navigate these stages to continuously mature their cyber risk management – an essential function in today’s society.
Given the nature and potential implications of cyber risk, it makes sense to get to grips with the issues and ensure your organisation does everything it can to keep the cyber criminals out.
To find out more about how Aon can help your organisation with its cyber risk, contact Alison Goodwin [email protected] or Mark Brannigan at [email protected].
Aon is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales. Registered number: 00210725. Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London EC3V 4AN. Tel: 020 7623 5500.
FPNAT540