The Nasstarian
Brought to you by

A Problem Shared: Why IT Outsourcing Could Become a Hit with Councils

In opinion / By Phil Muncaster / 18 September 2018

We all know that UK local authorities have been hit hard by eight years of austerity measures. But those severe budget cuts are now also putting key IT systems and the highly sensitive data they hold at risk of attack. A new study has revealed that half (46%) of English councils are running outdated server operating systems. So what can local government do to improve cyber resilience with dwindling resources? Outsourcing IT infrastructure and/or services to third-party experts is likely to become an increasingly popular option, both to reduce overheads and cyber risk.

Cuts create cyber risk

Government budget cuts are decimating local councils. Services are reportedly being merged at twice the rate of 2010 as councils see funding halved while demand for services increases. The simple answer, of course, is to accelerate digital transformation projects to help councils run their services more efficiently and at lower cost than before. But the reality on the ground is very different.

A recent Freedom of Information (FOI) request from IT provider Comparex UK found that nearly half of English councils were still running one or more of: Windows Server 2000, Windows Server 2003 and Microsoft SQL Server 2005. In addition, only 13% of the 94% of councils running Windows Server 2008 said they were paying for extended support. The figure dropped to only 9% for Windows SQL Server 2008. Outdated server software like this is a clear security risk to public sector organisations. If new security patches are no longer being produced by Microsoft, they could be exposing themselves to a range of attacks exploiting new vulnerabilities, from data theft and ransomware to crypto-currency mining. Comparex claimed, for example, that there are 150 known “significant” vulnerabilities for Windows Server 2003 alone.

“Unsupported software is like a bank with no-one guarding the vault, no cameras, and no locks,” Comparex business unit director for public sector, Chris Bartlett, told me. “Attackers will follow the path of least resistance when exploiting vulnerabilities, in your bank, and on your network.”

A false economy

Although on some occasions upgrades of server OS software are delayed because of application compatibility issues, cost is a major factor. Yet it’s clearly a false economy continuing to run insecure software as the fall-out from a resulting cyber-attack could be catastrophic.

An FOI survey from Barracuda Networks last year revealed that over a quarter (27%) of councils have suffered a damaging ransomware outage, for example. There are also compliance considerations. Gloucester City Council was fined £100,000 by the Information Commissioner’s Office (ICO) after failing to patch the infamous Heartbleed bug, resulting in the theft of sensitive data on council employees. The new regulatory regime known as the GDPR will increase the ICO’s powers to fine up to £17m or 4% of annual turnover, whichever is higher.

It’s no surprise that a PwC study from last year found that just a third (34%) of the public trust their council to manage and share their data and information securely, while only 35% of local authority leaders are confident their council is prepared to deal with a cyber-attack.

Time to outsource?

The good news is that local authorities have been trying to drive digital transformation where possible, to do more with less. The first step for many is migrating infrastructure or applications to the cloud. Part of this has been driven by new requirements from central government: specifically a phasing out of the .gsi email domain and underlying infrastructure an end to the current GCSX network, which allows councils to share data securely with central government departments. Many will switch to Office 365 or Google G-Suite as a replacement.

There’s certainly nothing wrong with this and it should save money in the long-run whilst effectively outsourcing the maintenance and security of their applications to the expert cloud provider. However, when it comes to IT infrastructure, local authorities might want to consider a slightly different approach. There’s still widespread confusion about exactly where the buck stops with security in IaaS environments, despite Amazon Web Services and others issuing repeated advice. The concern, therefore is that even their hosted Windows Server installations are left exposed to threats in the public cloud.

According to Socitm, 62% of councils stored data in the cloud last year, up from 52% in 2016, with the most popular choice (36%) public cloud providers like AWS, Google and Microsoft Azure. However, the vast majority if councils (85%) said IT was still run and managed in-house. As skills shortages begin to bite and austerity measures continue to take their toll, local authorities should therefore consider managed service providers (MSP) as a potential third way. The MSP would take care of all their IT infrastructure, ensure software is always patched, up-to-date and configured correctly, minimising security risk, admin overheads and capital expenditure.

It won’t be right for every council, and choosing an MSP should demand a serious investment of time conducting due diligence and clarifying SLAs. But this could become an increasingly attractive option for local authorities assailed on one side by hackers and on the other by the relentless cost-cutting of central government.

New call-to-action

Phil Muncaster

Phil Muncaster

Phil is an internationally known technology writer, having regularly written for The Register, InfoSecurity and IT Week on the subject of technology, IT and security.

Comments powered by Disqus