Insights from a rare case study

An asset-rich organisation, Gloucester City Council uses suppliers to help maintain service delivery.

Just as many asset management organisations do.

In 2021 they suffered a ransomware attack that presented via an email, mid-conversation, from a supplier that had themselves been compromised.

In 2023, the Local Government Association, in collaboration with the council, published a case study on the incident. The report contains a comprehensive list of lessons learnt that others can consider in the context of their own organisations.

In this newsletter I’m summarising my key observations as they would apply to most organisations.

Others depend on you

• It goes without saying, but…
• In the event of a cyber attack, the systems and tech you rely on to manage your assets and provide services may become totally unavailable for months.
• Asset information management, computerised maintenance management, support ticketing, finance, geospatial information and operational technology are just a few to consider.
• This can mean considerable negative consequences for your customers and dependents.
• In the case of Gloucester City Council, planning applications were delayed and information used by mortgage providers was unavailable.
• This impacted people’s life plans and potentially caused significant financial stress to families and businesses.
• Ask yourselves what total inability to deliver your services could mean to your customers and other stakeholders.
• Develop worst-case-scenario business continuity and cyber incident response plans.
• Simulate scenarios.
• Contemplate the total loss of all systems and tech, not just loss of individual components.
• Do you know what the most critical services and technologies are that your customers depend on you to keep operational, and have you established contingency plans in case they fail for extended periods?

Those that you depend on may become unavailable

• Suppliers and other parties you interface with could block communications from your organisation to mitigate the risk of your cyber attack spreading to them.
• This may complicate your recovery and service continuity.
• Have you established protocols for communication with critical third-parties, including suppliers and customers, in the event that routine communication channels, such as email, become unavailable?

Complex systems and shadow IT make recovery more difficult

• The more products and services an organisation offers, the more systems that may exist to support them.
• Staff may already be using software and hardware without your IT team’s approval, knowledge or oversight (“shadow IT”).
• They do this due to perceived IT bureaucracy, matters of convenience, or simply naivety.
• The more systems and shadow IT that exist, the broader the attack surface.
• Simpler systems are simpler to protect and restore.
• What are you doing today to simplify product offerings and the underlying system architecture required to deliver services, reduce expenditure in the short term, and minimise the complexity of a future system rebuild?

Effective cyber security awareness is akin to good asset management

• More preventative, less reactive.
• Regular education in small doses is more effective than intensive and time-consuming big hits.
• Simulate and promote discussion.
• Integrate cyber security and awareness into procurement and contract monitoring for all suppliers.
• Periodically share examples of incidents relevant to your organisation and industry with your staff.
• Keep the risks front-of-mind.
• How are you ensuring your staff and suppliers are remaining vigilant and aware of common cyber risks that they can play a part in defending against?

Staff will fatigue

• Over weeks or months of recovery, people get tired.
• Loss of efficient digital technology usually means less efficient manual processes are required to keep things going. Backlogs of work build. Stress increases.
• IT teams in particular can end up working round the clock.
• Does your business continuity plan anticipate the impact on staff over an extended period of time, plan for action to minimise fatigue and stress, and prepare to accommodate increases in personal leave?

Featured image: “Sunset on Gloucester Docks 1”, by kennysarmy, licensed under CC BY-NC-ND 2.0