Cyber Resilience: Is it a case of preparing for the inevitable? Stephen Baker Chief Executive Suffolk Coastal & Waveney District Councils [SOLACE spokesperson on Emergency Planning and Cyber Resilience]

“…the thing is, it’s probably inevitable that your organisation will suffer some breach, some attack, at some point. Of course, do all you can you prevent it, but also prepare for when it happens…”

What is the threat? Where will it come from? What will it do to my systems, my organisation, my services? What shape or profile will it have, and what will it seek to achieve?

What has happened elsewhere? Several local authorities have suffered attacks Loss of access [for days] Loss of data and historical files [forever?] Impact on services Impact on staff What can I learn from these? There will be breaches we’re not told about

What is the risk? Understand the risk: Responding to the risk issue of scale visibility (different to other threats) recognising change when it happens Responding to the risk Rationalising the threat [am I a target?] Complexity of local systems Vulnerability: understanding ‘why they do it’ our services and users

Environmental Management Electoral Registration Homeless Housing Options NLPG Grants HR / Payroll Building Control Planning Housing Online self service Eco Dev & Regen Land Charges EDMS Corporate Website Intranet CRM Payments Portal Legal CMS Asset Management Environmental Management Licensing Electoral Registration Coastal Management Environmental Health Digital Mapping Committee Admin Revs and Bens Auto Cad Business Analytics Corporate Finance

Can I prevent it? Technical Response Organisational response Management response Leadership response

Response Constraints Other priorities, immediate pressures … Skills, knowledge and experience Lack of understanding/awareness Complexity [partnerships/systems/users] Difficult to quantify the risk Reticence to quantify the impact “Alarm avoidance” (denial!) “Someone else’s issue” (usually ICT!) Political interface

What would the impact be? Immediate disruption to the organisation, services, customer/resident Financial cost Service development and strategic planning Loss of confidence impact on digitisation, both implementation and ambition mindful of user demographic Reputational damage Political dimension

Impact: can we apply a time line? Loss of Confidence Reputation / corporate memory Political Political Political Impact Impact on Digitalisation Service Disruption Strategic Planning Service Development Immediate Long Term

Impact: why would anyone do it? Cause disruption to IT systems Financial gain/personal gain Kudos – ‘because I can’ Curiosity – ‘can I?’ Access to emails between staff … … or access to emails between Leader and Deputy Leader? None of the above

Support System NCSC MHCLG Cabinet Office LGA SOLACE SOCITM LRFs Mutual Aid Suppliers and Partners

Communities and Stakeholders The provider/customer and user relationship Features of an effective digitised service: Security / Accessibility / Transparency …. Community leadership - provision of advice and guidance - how far should support go? Stakeholders: Shared systems Confidence (works both ways)

Do an exercise … test your team A plea to colleagues Do an exercise … test your team

Management Response Take responsibility Recognise the risk Access the skills necessary for adequate defence [ICT, business continuity etc] Train and educate – raise awareness Delegate, but not abdicate “Get real”

Leadership Response Officer role Political role A sustained strategic response Mutual support across agencies/councils etc A common, albeit unknown, enemy Where does the buck stop?

Conclusion Do what we can to reduce our vulnerability Prepare as best we can in case it happens ….let’s hope it’s not inevitable…!