top of page

Local Government – Top Tips to protect your council from cyber criminals

Cybercriminals have shown repeatedly that they love data, and the more sensitive it is the more money they can extort if they steal, encrypt, or restrict access to it.

Local governments hold millions of gigabytes of this type of data – including financial and legal information, sensitive planning details, confidential medical data, data relating to children at risk and even vulnerable women – including locations of domestic violence refuges.

Photo of houses from aerial view - Photo by <a href="">Ivan Bandura</a> on <a href="">Unsplash</a>

And poor cyber security has led to numerous high-profile attacks against councils in the past few years. The London Borough of Hackney was subject to a ransomware attack in 2020 in which personal staff data was released, land registry information was scrabbled, and local authority payments had to be halted. Sensitive personal data also led to a year long police operation to try and mitigate the risks to individuals caused by the loss and publication of this data.

More recently in 2022 an Essex based local government organisation was subject to a man in the middle attack where they paid almost £4 million to a criminal gang, thinking that they were paying a trusted supplier. Only quick thinking and action meant that they did not lose the money permanently.

As more services go online and information becomes digitized the challenges faced by local governments and the solutions to the areas of attack become more complicated. But a key part of any local government strategy is ensuring that you have a plan when things go bad.

As Maya Angelou famously said,

“Hoping for the best, prepared for the worst….”

What should I do now?

The good news is that you can start to improve your cyber defences now, with little or no technical training, and no or minimum cost.

  1. Ensure all your staff are using strong passwords. This means that they are unique – not used across multiple platforms – and not easily guessable.

  2. Consider using a password manager for your staff to use. Remember just one strong password and your manager remembers the rest. Watch our short video to find out more.

  3. Enable 2 Factor Authorisation (2FA) wherever possible, but specifically on any social media site, emails and anywhere you have payment details. This means that if your staff’s usernames or passwords are released, criminals still won’t be able to access the account. You can find more about 2FA here.

  4. Have offline backups and test the recovery of them. Companies falling victim to ransomware still pay criminals even though they have backups because they have never evaluated them, and then when they need the data the most, they find that they can’t recover.

  5. Ensure you have anti-malware on all devices, including your phones.

  6. Train your staff to recognise common phishing attacks and how to report them. Phishing attacks are the most common form of cyber-attack, and your staff can be your weakest link or your strongest defence, but only if they know what to look out for a do. The ECRC can provide bespoke Staff Awareness Training through our affordable student services.

  7. If you have a website, get a web app vulnerability assessment. This will look at whether your site is secure from the most common cyber-attacks against it.

  8. Install system and software updates as soon as possible. Criminals also know about the vulnerability and will craft attacks specifically for known vulnerabilities.

  9. Have an incident response plan and test that it will help when the worst happens. You can find free template plan to get you started here.

  10. Join the Eastern Cyber Resilience Centre. It’s free, and you will be kept up to date with the latest threats to your business as well as guidance, support and direction to free tools and services, and access to our affordable student services which can help with vulnerability assessments and staff awareness training amongst other services. Sign up to join our growing community now.

Further guidance & support

The Eastern Cyber Resilience Centre Logo

You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiry system.

And we would always encourage you to join our growing community by signing up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England. Our site also contains numerous guidance and tools that can be accessed free for charge.

You may have access to some sort of IT support within your business and we recommend that you speak to them now to discuss how they can implement cyber resilience measures on your behalf. And find out if a response plan is currently held for your business and whether it is still in date!

Finally, whilst we would suggest that you don’t rely on insurance alone to protect you from all of the worlds cyber threats, it would be prudent to check what, if any insurance you have and what it actually covers. It could prove invaluable to help you quickly navigate through those early hours of an incident and should form part of the organisation response to an incident of this type.

Reporting a live cyber-attack 24/7

​If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.

Reporting a cyber-attack which isn't ongoing ​

Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050).


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page