Post-ransomware attack, Hackney Council wants to change its cybersecurity culture

And it’s willing to pay up to £250,000 if you can help them do it.

Graham Cluley
@gcluley

Hackney Council still hasn’t recovered from its ransomware attack last October, which saw stolen data posted on the dark web by the PYSA ransomware gang.

According to the London Borough of Hackney’s website, key services that continue to be affected include:

  • Applications and licenses
  • Benefits, council tax and payments
  • Children and families services
  • Council homes
  • Data protection
  • Payments
  • Planning
  • Reporting and ordering

House purchases have fallen through in the area as the council was unable to process land searches, and some of the area’s most vulnerable residents were not paid their housing benefit.

The good news is that Hackney Council is working hard to make things better. And one of the ways in which it is doing that is by looking for some external expertise to evaluate its staff’s understanding of their security responsibilities, and help them adopt effective security practices.

Why the work is being done

Hackney Council is reviewing the way we deliver security assurance, following a Cyber attack in October 2020 and implementing changes to where required. This work will include a review of some of our technological tools as well our governance arrangements and processes. This work will be underpinned by a concurrent piece of work focused upon the security culture within the team.

Problem to be solved

We are delivering two key strands of work:

* Behaviour, Culture & Skills (Analysis, recommendation & implementation)
* Policy, Process & Procedure (Review, recommendation, change/strengthen)

We have identified some skills gaps and capacity shortages that would hinder rapid delivery of a high quality set of outcomes.

User Research (to help design, conduct and understand behavioural and culture now)

Business/Procedure/Policy Analysis (to help create and distill user stories, conversations and data and turn into actionable procedures/practice).

Senior Security Practice to act as a second pair of eyes and to help design new processes, deliver training and best practice to our teams.

It’s interesting to see how much emphasis is being given to improving the security culture and user behaviour. Far too often this is an area of computer security which is brushed aside in favour of technological solutions.

Sign up to our newsletter
Security news, advice, and tips.

The truth is that cybersecurity is fundamentally a human problem, not a technological one. One has to suspect that it was a human behavioural issue which was the primary reason the council was hit by the attack rather than anything else.

The budget for this work is set at £200,000 – £250,000 + VAT, and – understandably under the current circumstances – Hackney Council is quite happy for you to work remotely.

So if you’re interested apply now.

You have until 2 February 2021 to apply.

Hat-tip: Thanks to Evan Jones for bringing this latest development to my attention.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.