Ahead of the local elections next month, Owen Prendeville, Information Commissioner’s Office (ICO), offers tips for protecting against cyber attacks.
Local elections are right around the corner, with millions of people across the country due to go to the polls to vote in their councillors as well as metro mayors and police and crime commissioners.
This is a fundamental part of our democracy, and voters should be confident that they can exercise their democratic rights without their personal information being at risk. At the Information Commissioner’s Office (ICO), we want to remind local government to be extra vigilant with cyber security at this time and ensure there are appropriate security measures in place to safeguard personal information.
Our data shows that a growing number of cyber breaches are being reported by the local government sector, with over 150 cyber incidents reported in the last year.
Poor information security leaves systems at risk and may cause real harm. We want to help those in local government be as prepared as possible, so we have shared some practical steps that they can take to mitigate risk and ensure their systems and the personal information they hold are protected. These tips are particularly important around the election, but will also be important to know in normal times too.
Provide regular staff training
All staff must be fully trained on the correct processes and any training should be role-specific, tailored and relevant to the tasks being completed. Many cyber-attacks come from social engineering, which tricks the user and persuades staff to share passwords or accidentally download malware. Measures such as up to date staff training are essential to spot and report suspicious activity, such as phishing attempts.
Back up your data
You should back up your data regularly. If you’re using an external storage device, keep it somewhere other than your main workplace – encrypt it, and lock it away if possible. That way, if there’s a break-in, fire or flood, you’ll minimise the risk of losing all your data. Such recovery measures should be reviewed regularly to ensure they’re appropriate. Making sure your back-up isn’t connected to your live data source, means any malicious activity won't reach it.
Use strong passwords and multi-factor authentication
Make sure you use strong passwords on smartphones, laptops, tablets, email accounts and any other devices or accounts where personal information is stored. They must be difficult to guess. The National Cyber Security Centre (NCSC) recommends using three random words. This is especially important for accounts with administrative access.
Where possible, you should consider using multi-factor authentication. Multi-factor authentication is a security measure to make sure the right person is accessing the data. It requires at least two separate forms of identification before access is granted. For example, you use a password and a one-time code which is sent by text message.
Be wary of suspicious emails
You should be regularly monitoring for suspicious activity and investigating any unusual activity. Staff need to know how to handle suspicious emails and to report them promptly to relevant colleagues. Look out for demands for you to act urgently, requests for updated payment methods and unrequested password resets. New technologies mean that email attacks are becoming more sophisticated and may appear to come from a source you recognise. If you’re not sure, speak to the sender.
Install malware protection
And keep it up-to-date. You must make sure the devices you use at home, or when you’re working away, are secure. Malware protection software can help protect your device against attack, but only if it is regularly updated and monitored. Act on any alerts, even if there has been successful removal. This helps those keeping the network safe to detect potential attacks sooner.
Update software Ensure that any software updates are run promptly. This makes sure that any security issues or vulnerabilities are fixed and reduces the chance of an attack. NCSC advise critical updates are carried out within 14 days.
Make sure your Wi-Fi connection is secure
Using public Wi-Fi, or an insecure connection, could put personal data at risk. You should make sure you always use a secure connection when connecting to the internet. If you’re using a public network, consider using a secure Virtual Private Network (VPN).
Don’t keep data for longer than you need it
Getting rid of data you no longer need doesn’t just free up storage space, it’s a key principle of data protection. It means you have less personal information at risk if you suffer a cyber-attack or personal data breach.
Dispose of old IT equipment and records securely
You must make sure no personal data is left on computers, laptops, smartphones or any other digital devices, before you dispose of them. You could consider using deletion software or hire a specialist to wipe the data.
Report to the ICO
In the event of a cyber-attack, there is a regulatory requirement to report this to the ICO. We have also worked with NCSC to remind organisations not to pay a ransom in case of a cyber attack, as it does not reduce the risk to individuals and is not considered as a reasonable step to safeguard data.
For more advice, visit the ICO’s security guidance for organisations.
