BELFAST, Northern Ireland -- 3 July 2019 -- Over a six-month period at the end of 2018 and beginning of 2019, cyber security professionals from Vertical Structure undertook a survey of all local councils across Northern Ireland.

“We were hoping to uncover what level of potential cyber security exposure local councils were facing,” said CEO and co-founder of Vertical Structure, Simon Whittaker.

The FOIA responses from local councils revealed that Northern Irish councils are spending, on average, just over £9,000 annually with cyber security vendors. The largest body, Belfast City Council, spent the most on cyber security at £35,879. One council responded that nothing had been spent on cyber security protection, the Mid and East Antrim Borough Council.

Compare that to the gross budgeted expenditure in 2017/2018 of £192.4m* by Belfast City Council and the council spent just 0.18% of its budget on cyber protection.

“We were surprised by these figures,” said Simon, “particularly when you consider that councils are storing personal data on citizens. Belfast City Council spent less than 2p on cyber protection for every £1,000 spent”.

Councils’ data stores might include private citizens’ names, addresses, phone numbers and email accounts.

“When storing that kind of data, we’d advise all organisations to ensure that they have adequate cyber protection measures in place,” said Simon. “This may include annual security and penetration tests to ensure the robustness of their systems, cyber security training for all employees who deal with IT systems and databases, and information assurance measures.”

The low spending amounts led Vertical Structure to question whether councils are adequately protected. There is a high risk to councils’ IT systems if attacked by ransomware, malware, virus and hacking.

Simon explains, “It’s sad but true that no organisation is immune to an attack. We’re not trying to shed a bad light on councils by making this information public. Instead, we’re trying to increase awareness of a rising problem – that governmental organisations have overstretched budgets and they are being forced to cut corners where they shouldn’t.”

There is a free online webcheck service for Gov.uk organisations available online at this link. Simon said, “It’s possible the councils are using free services such as this one, or the plethora of services that the NCSC offers. If they are, that’s great – these free tools are a hugely useful resource.”

To date, Vertical Structure is not aware of a serious data breach on a Northern Irish council, however, news reports from around the globe show that cyber attacks are happening to government bodies increasingly.

“It could be a ticking time-bomb,” said Simon. “As just one example, look at what happened in Baltimore.”

The City of Baltimore in Maryland, USA was hit by a ransomware called Robbinhood in May this year, resulting in a reported $18m in damage to its IT systems. City officials explained that hackers were looking for a $100,000 ransom pay-out after a city employee unknowingly clicked a link or opened an email with the malware. The total financial impact included $10m to ‘repair and rebuild the network’ and $8m in ‘deferred revenue and the loss of interest in penalty income,’ per city officials.

“That was just one publicised example – many cyber attacks never get publicised. Bad actors are writing new attack methods every day. All of us need to prioritise cyber security protection before it’s too late,” concluded Simon.

Source: Belfast City Council annual financial report.

About the survey:

Using FOIA requests, 11 councils across Northern Ireland were surveyed with the following questions:

1. Name of all cyber security providers that you work with and buy from?
2. Which cyber security vendor(s) do you currently use?
3. When is the renewal date for the above vendor(s)?
4. What is the cost and duration for the above contract(s)?
5. How many websites does the council provide cyber security testing for?

The following councils responded to Simon Whittaker’s FOIA requests:

• Causeway Coast and Glens Council
• Newry, Mourne and Down District Council
• Ards and North Down Borough Council
• Belfast City Council
• Derry City and Strabane District Council
• Antrim and Newtownabbey District Council
• Armagh City, Banbridge and Craigavon Borough Council
• Mid Ulster District Council
• Lisburn and Castlereagh District Council
• Fermanagh and Omagh District Council
• Mid and East Antrim Borough Council