Security expert Joseph Carson discusses how UK councils can empower employees to take cybersecurity seriously.

A report released by Big Brother Watch this week found that four in five local government authorities in the UK are unprepared for a cyber-attack.

Statistics from the privacy campaign group showed that 114 local councils experienced at least one security breach between 2013 and 2017, and that 25 councils lost data as a result.

Worryingly, three-quarters of councils don’t provide compulsory cybersecurity training, and 16% didn’t provide any at all.

Following the publication of the study, Joseph Carson, chief security scientist at Thycotic, spoke to The Daily Swig about why councils are failing to prioritize security issues.

Here, he discusses how employee-centric cybersecurity is their only hope of defending themselves against cyber-attacks:


The findings of Big Brother Watch point to a lack of cybersecurity, which is a huge concern. And it’s not just councils that are at risk, it’s also critical services like the NHS, the police, and the fire brigade.

I used to be responsible for the Northern Ireland Ambulance Service, so it was my job to keep their systems running. If the systems failed, people died.

It goes without saying that councils should be investing in robust and secure defense mechanisms, but it isn’t as easy as that.

For many councils and other public services, budgets are tight and they are reducing year on year.

Lack of money means that councils may even have to decide between hiring employees or using their budget to upgrade computer systems.

Of course, these employees’ jobs are important but if security is sacrificed it can create a much bigger problem in the long term.

The longer you don’t patch systems, the more exposed and more likely you are to become a victim of cybercrime. So there’s a balancing act to be done when it comes to allocating council funds.

Though if cybersecurity is not prioritized accordingly, councils will start to see a cascading effect.

We’ve already seen this happen last year with the WannaCry attack, but unfortunately that was just the tip of the iceberg.

Cyber-attacks are growing at an astronomically significant rate, and technology alone can’t solve the problem.

Public bodies are likely to be primarily concerned about sensitive data disclosure – for example, constituents’ details or NHS medical records.

The second highest risk is data destruction through ransomware or other means.

We’re seeing organizations invest millions in technology to prevent these attacks but they are still failing to provide technology that’s easy to use.

The more difficult the technology is for their employees, the more difficult it is for them to defend the organization’s systems. Ultimately, not investing in the people is partly fueling a lot of these cyber-attacks.

We’re also finding that cybersecurity is no longer the sole responsibility of the IT department – it’s now everyone’s duty.

Organizations have used their employees as scapegoats for too long, and it’s stopping them from being cyber-aware when it comes to their own actions.

While individuals may have clicked a link or had their passwords stolen, we have to remember that they are also a victim.

One of the reasons that we see so many instances not being reported is that employees are scared that they will be blamed and could lose their job.

Therefore organizations need to empower them and give them the confidence to report suspicious activity.

They also need to invest in easier and simpler solutions that people are able to use quickly and more effectively.

If I have one piece of advice for any organization, it would be to drum into their staff to not to be afraid to ask for advice.

People shouldn’t be scared to report anything suspicious.

And organizations should encourage employees to think twice before they click on something.

Equipping people with the skills and ability to tackle cybercrime on the frontline is vital to protect public services.