Preston council under siege from cyber attacks

Preston's city council is thwarting dozens of attempts to breach its cyber-security every single day, lead officers have said.

Tuesday, 8th May 2018, 7:25 am
Updated Tuesday, 8th May 2018, 11:16 am

The threat posed by would-be hackers has been revealed in the results of a study set up in the wake of the crippling attack on the NHS last year.

Councillors have been scrutinising the local authority’s defences in recent months to assess how vulnerable their systems are.

And their conclusions will be presented to the ruling cabinet next week.

Sign up to our daily newsletter

The i newsletter cut through the noise


The report reveals that council staff have become more web-security savvy in recent months as a result of targeted training. However, an initial experiment revealed some alarming figures.

When everyone in the council was sent a spoof phishing email last year, 49 per cent failed the test by clicking on a nefarious link contained within the message, an action that could open the system up to harmful software.

This figure has now dropped to between five and eight per cent, the council said, with those failing the tests asked to carry out extra training.

Sharon Thornton, head of ICT Services, said it is not possible to have 100 per cent protection but steps can be taken to mitigate the risk.

Dr Tim Owen and Faye Speed both work in the cybercrime research unit at UCLan

She said: “The idea behind the training is to get a baseline by sending the same spoof phishing email to everyone in the organisation.

“Employees then had to complete a mandatory 15 minute training video advising them about cyber criminals and what to look out for in scam emails.

“Subsequent spoof phishing emails were then randomly sent out over the course of 12 months. “Each time a user failed by clicking on a link within the email, they would be notified and advised to carry out a further 45 minute training video.

“Overall the process has made users more aware and vigilant, and therefore the fail rate has dropped significantly.”

The report reveals that the council uses a more recent operating system than the one targeted in the NHS Wannacry attack last year.

And a number of measures - such as regular scans and firewalls - are in place with an average of between 20 and 30 attempted breaches each day.

Ms Thornton added: “The council’s external facing network is attacked regularly but we’re very happy to report that none have been successful.”

Lead member of the cyber security task and finish group Coun Lynne Wallace said she and group members were “very impressed with the excellent level of security despite the council’s budgetary constraints.”

Although the work group will recommend a number of measures to ensure the authority does not get “complacent” about its security position.

They include a feasibility study looking into “prohibition of all personal removable media devices” with only “approved, encrypted devices permitted”.

In addition to the introduction of self-service password changes and a roll-out of mandatory training for all staff and councillors.

The report reads: “This study demonstrates that the council is taking the issue of cyber-security very seriously. The phishing test in particular shows that measures which are being put in place are having a positive effect on protecting the council from cyber threats and improving awareness and responses by staff and members.

“But we cannot be complacent, and the recommendations in this study, when actioned, will put the council in an even stronger position.”

Government crackdown

Former Home Secretary Amber Rudd launched a crackdown on criminals who exploit the dark web just before she left her post. As part of a £9m fund, law enforcement’s response will be bolstered to tackle those who use the anonymity of the online space for illegal activities such as the selling of firearms, drugs, malware and people.

More than £5m will also be used to support the police to establish dedicated cyber crime units to investigate and pursue cyber criminals at a regional and local level.

Currently only 30 per cent of local police forces have a cyber capability that reaches the minimum standard.

The funding is part of £50 m of newly allocated.

Ms Amber Rudd said: “The world of cyber crime is fast-developing and we need a fast-developing response to match.

“One that recognises that it is the responsibility of everyone in the UK to fight the evolving threat.”

She added: “[The £50 million of funding] will mean that cyber crimes are investigated thoroughly and police can support local businesses and local victims, providing the advice and care they need. Because whilst criminals plot and hide behind their screens, their actions have real-life consequences for their victims.

“My own father was the victim of fraud and I know from personal experience the importance of supporting those who have been victimised through no fault of their own.

“And now that it’s happening online it’s happening to even more people. But business owners, cybersecurity experts and individuals, can do a lot to help too.

“Because in the same way that shops protect themselves from burglary with locks, alarms and security guards, I expect businesses to take equivalent precautions digitally.”

NHS computer system attack

NHS computer systems across the UK were targeted in May last year by ransomware - a particularly nasty type of malware that blocks access to a computer or its data and demands money to release it.

Almost 19,500 medical appointments, including 139 potential cancer referrals, were estimated to have been cancelled, NAO said.The malware is believed to have infected machines at 81 health trusts across England - a third of the 236 total, plus computers at almost 600 GP surgeries, a recent report by the National Audit Office found.

Around 3,000 computers at the Royal Preston and Chorley and South Ribble Hospitals were infected by the virus.

And Lancashire Teaching Hospitals NHS Foundation Trust previously said that 441 procedures and appointments were affected but were quickly re-arranged’.

All were running computer systems that had not been updated to secure them against such attacks.

The expert’s view

Dr Tim Owen, senior lecturer in Criminology and director of the University of Central Lancashire’s cyber crime research unit, said it is increasingly vital that public organisations maintain standards of “cyber hygiene”.

He told the Lancashire Post: “You have to keep yourself as clean as possible. Unfortunately you’re never going to get rid of human error but all organisations should be implementing training and making people aware of the basics to reduce the risk.

“Cyber crime is always moving so quickly and it’s difficult to keep track. Attacks (like the one that hit the NHS last year) are co-ordinated, and many are state sponsored, we’re not talking about someone sitting in their bedroom, messing about.

“We’re talking about thousands of cancelled appointments across dozens of trusts, if that’s not coordinated, I don’t know what is.” Dr Owen said there needs to be greater awareness that online actions can have an impact on everyday life.

He added: “There is still a misconception that something you do online stays there and isn’t real life. Only fools click on email links when they don’t where they’ve come from these days, but it does happen and human error can be the cause of a lot of breaches.

“I use the analogy that if I was to walk out of my house in the morning and leave the door completely open, eventually (it will be burgled.)

“That’s what happened with the NHS (in that the operating systems were not up to date).

“Organisations need to have their cyber hygiene, the responsibility to pass on the basics to their staff.”

Dr Owen predicts the UK will see an increase in coordinated cyber attacks in the coming weeks as a direct result of the military action in Syria. He said: “Cyber crime is more serious than people realise and the internet holds a lot of pitfalls. Some think it all takes place on the dark web, but it’s only a few clicks away.

“Raising awareness and making people aware of the basics is the way forward.”