Business as usual: Leicester council cyber attack

Leicester City Council’s response to the ‘streetlight’ cyber attack was an example of an effective business continuity plan, says Billy Ruston, resilience consultant, Protection Group International (PGI).

We know that local authorities are increasingly under threat from cybercriminals. According to the Information Commissioner’s Office (ICO), attacks on local authorities will increase by 24% between 2022 and 2023. The data held by public sector organizations and the critical nature of the services they provide to the public mean they are incredibly tempting targets. both for cybercriminals and bad state actors.

The attack on Leicester City Council, although described as highly sophisticated, appears typical of many attacks on local authorities. Before the Leicester attack, we saw councils in Kent hit by a series of cyber attacks in early 2024, St Helens council hit by a ransomware attack in August 2023 and several UK regional councils affected by the attack on supplier Capita, which was also exposed in 2023.

It is clear then that councils are under threat, directly and through supply chain partners, and the number of attacks and their consequences mean they are increasingly front page news. This has two effects. It lowers the public’s trust in their local authorities (one of the key goals of bad state actors) and also means that general assumptions are made about the nature and consequences of attacks.

Councils have statutory obligations under the Civil Contingencies Act, 2004. One of the statutory obligations of the Civil Contingencies Act is to put in place business continuity management arrangements. However, councils should not implement such procedures just because it is part of the Act.

Business continuity planning is a good idea for all organizations, whether it is a legal requirement or not. Business Continuity ensures that an organization’s critical activities can continue at predefined service levels and within acceptable timeframes following a business disruption, such as the cyber attack suffered by Leicester City Council.

What we saw in the case of Leicester is the business continuity plan coming into action. Although the headlines focused on the downside of the street lights being left, it was actually a strategic decision by the council’s Business Continuity team.

It is not acceptable for local authorities to stop providing services that ensure the health, safety and well-being of their residents. It would have become clear that if the systems failed then it was preferable for the street lights to remain permanently on, ensuring the safety of the public. It is a positive reflection on the business continuity plan in place, rather than a negative impact of the cyber attack that the headlines are focusing on.

There are several interrelated steps to consider when implementing a business continuity management system and developing incident response plans and processes. The planning process begins with an analysis to define critical activities and understand the threat landscape. The planning process concludes with validation, testing that business continuity plans are effective and aligned with business objectives, practicing feedback processes with key stakeholders, and identifying opportunities and areas for improvement.

The key to successful business continuity plans is that it is not viewed as a one-off exercise, but must be monitored and continuously improved. The Leicester example shows how continuous testing has enabled a local authority to ensure frontline services and public safety are prioritized in the event of an outage. However, for other boards that have the capacity or in-house expertise to ensure that business continuity plans are regularly implemented and tested is beyond their means. Some turn to consultancies who can provide the expertise and experience to help local authorities have some peace of mind and, importantly, implement plans should the worst happen.