Leicester City Council’s response to the ‘streetlight’ cyber-attack was an example of an effective business continuity plan, says Billy Ruston, Resilience Consultant, Protection Group International (PGI).
We know that local authorities are increasingly under threat from cybercriminals. According to the Information Commissioner’s Office (ICO), attacks on local authorities have increased 24% between 2022 and 2023. The data held by organisations in the public sector and the critical nature of the services they provide the public means that they are incredibly tempting targets for cybercriminals and bad state actors alike.
The attack on Leicester City Council, whilst described as highly sophisticated, seems typical of many of the attacks targeting local authorities. Before the Leicester attack, we saw councils in Kent hit by a number of cyber-attacks at the beginning of 2024, St Helen’s council was hit by a ransomware attack in August 2023 and several British regional councils were affected by the attack on supplier Capita which was also exposed in 2023.
It is clear then that councils are under threat, directly and via supply chain partners and the number of attacks and consequences of them mean that they are increasingly headline news. This has two impacts. It decreases public confidence in their local authorities (one of the key objectives of bad state actors) and also means that general assumptions are being made about the nature and consequences of the attacks.
Councils have statutory duties under the Civil Contingencies Act, 2004. One of the statutory duties of the Civil Contingencies Act is to put in place Business Continuity Management arrangements. However, councils should not only be implementing such procedures just because it is a part of the Act.
Business Continuity planning is a good idea for all organisations whether it is a legal requirement or not. Business Continuity ensures that an organisation’s critical activities can continue at predefined service levels and within acceptable timeframes following a business disruption, such as the cyber-attack that Leicester City Council suffered.
What we have seen with the Leicester case is the Business Continuity plan coming into action. Although the headlines focused on the negative point that streetlights remained on, it was actually a strategic decision on behalf of the Business Continuity team at the council.
For local authorities, it is not acceptable to stop providing services that ensure the health, safety and welfare of their residents. It would have become clear that if systems failed then it was preferable to have the streetlights remain constantly on, ensuring the safety of the public. It is a positive reflection on the Business Continuity plan in place rather than a negative impact of the cyber-attack which the headlines focus on.
There are multiple interrelated stages to consider when implementing a business continuity management system and developing plans and incident response processes. The planning process starts with an analysis to define critical activities and understand the threat landscape. The planning process ends with validation, testing that the Business Continuity plans are effective and align with business objectives, practising response processes with key stakeholders and identifying opportunities and areas for improvement.
The key to successful Business Continuity plans is that it is not regarded as a one-off exercise but needs to be continuously monitored and improved. The Leicester example shows how ongoing testing has allowed a local authority to ensure front-line services and the safety of the public are prioritised in the event of disruption. However, for other councils having the ability or in-house expertise to ensure that Business Continuity plans are implemented and regularly tested is beyond their means. Some are turning to consultancies that can provide the expertise and experience to help local authorities have some peace of mind and importantly roll-out plans if the worst happens.
