Insider threats, both malicious and accidental are also a situation that every company, but especially local government needs to be aware of.
Local government employees can have access to multiple systems holding sensitive data and if they were maliciously minded, may also be able to get in a position to manipulate invoices and information for their own benefit. But even accidental breaches of data have to be reported to the ICO.
According to the ICO data security incident trend dashboard, in Q4 2021/22 they received 5 reports relating to cyber incidents (a clear online or technological element involving a third party with malicious intent), but 213 reports which were either without online/technical element or did not involve a 3rd party with malicious intent. Overall, the local government sector was the third biggest reporter of data breaches.
Within Q4 – the most reported incident type were the 42 reports of data emailed to incorrect recipients but looking at the unauthorised access, only 1 was reported as malicious (cyber) with 22 classed as not malicious. Although this doesn’t state what that unauthorised access meant, that category would include non-malicious insiders.
What does this mean for local government?
The reporting shows that in terms of malicious vs non-malicious data breaches, non-malicious are the most common but this doesn’t mean that they won’t have had an impact, potentially both financially and reputationally.
Potential changes to make
Culture – mistakes are going to happen but employees need to be confident in reporting these mistakes. According to the 2022 Psychology of Human Error study, age makes a difference in admitting mistakes with 50% of 18 to 30yrs old admitting mistakes compared to just 10% of over 51s!
Training – does the current training being offered cover the ways that data breaches are occurring? Senior managers might need to consider having cyber security and data protection training as part of general communications to reinforce formal training.
Technical controls – could any of the breaches have been prevented or stopped by technical controls? In terms of unauthorised access to data, this might be the wake up to check who has administrator access, and if everybody’s access is still aligned with their current role.
Further Guidance and Support
The ECRC is a police-led, not for profit organisation which companies can join for free.
Our community provides:
Threat alerts both regionally and nationally
Signposting to free tools and resources from both Policing and the NCSC
Little steps programme – series of weekly emails which aligns to cyber essentials looking at bite-sized practical information to build cyber resilience
Discussion area to meet and discuss other companies in the region and our partners